87985 – up2date fails with SSL handshake failure

Bug 87985 - up2date fails with SSL handshake failure

Summary: up2date fails with SSL handshake failure

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 4
Classification:	Red Hat
Component:	up2date
Sub Component:
Version:	4.0
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Adrian Likins
QA Contact:	Red Hat Satellite QA List
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2003-04-04 10:22 UTC by Joe
Modified:	2007-11-30 22:07 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2003-04-04 21:56:12 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Full Error message (1.59 KB, text/plain) 2003-04-04 17:24 UTC, Joe	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

Description Joe 2003-04-04 10:22:49 UTC

Description of problem:
(This may be related to bug 69781, except in that case, the error message came 
after a successful connection.)

My system is having problems connecting to RHN via up2date. I've tried the 
applet, and I've tried up2date on the command line, both with and without the --
nox option. With the GUI version, I get an error window, and with the command 
line version, I get a shorter version of the same message. 

I signed up for the basic service two days ago, but still no luck connecting. 

I built a second RH linux box, but no-go with that one either...but the first 
time the error window popped up, at least there was another window behind it 
asking me to install the GPG key.

When I try to register the second machine, the GUI freezes on the first window. 
Registering via "up2date --register" or "up2date --nox --register" fails as 
well. After about 10 minutes, the SSL error message pops up again.

I can connect via telnet to xmlrpc.rhn.redhat.com 443
The rhnsd service is running, set to run in levels 3, 4, and 5.
Date/Time are set appropriately via NTP.
Nameservers are set correctly in /etc/resolv.conf
Satellite connection.
URLs in up2date config file are correct.

This problem started 4 days ago, and up2date worked fine before then. Nothing 
unusual was done/changed to the system or firewall.
The second system is a fresh install and has never had a successful connection 
to RHN.
Reproducible always on both.

Some interesting things I noticed:

1) This started about the same time that 9.0 ISO was released for downloading.

2) tcpdump shows successful DNS query, then syn flag from me to RHN, then 
syn/ack from RHN, then a series of unanswered acks from me to RHN, then about 3-
4 minutes later, a fin from RHN, then a rst.

3) what really is weird, and may be a good clue (I hope): I can't connect via 
web browser to *any* of the redhat.com sites, http or https. Only RedHat sites. 
Any other site is browsable. My non-linux computers can connect to 
<server>.redhat.com just fine. The tcpdump for this shows the same pattern as 
above. The nameserver pops right up with an IP for RedHat servers.

Version-Release number of selected component (if applicable):
kernel v. 2.4.18-27.8.0
openSSL v. 0.9.6b
up2date v. 3.0.7

How reproducible:
Always.

Steps to Reproduce:
1. Run up2date in any form (GUI or command line)
2. Error occurs
3.
    
Actual results:
Error: [('SSL routines', 'SSL23_WRITE', 'ssl handshake failure')]

Expected results:
Successful connection

Additional info:
running:
/usr/sbin/stunnel -r xmlrpc.rhn.redhat.com:443 -cf -v 2 -A /usr/share/rhn/RHNS-
CA-CERT

produces:
-------------------------
2003.04.03 20:48:28 LOG5[14407:16384]: Using 'xmlrpc.rhn.redhat.com.443' as 
tcpwrapper service name
2003.04.03 20:48:28 LOG5[14407:16384]: stunnel 3.22 on i386-redhat-linux-gnu 
PTHREAD+LIBWRAP with OpenSSL 0.9.6b [engine] 9 Jul 2001
---------------------------
It stopped after that...is it supposed to spew forth anything after this?

Comment 1 Joe 2003-04-04 17:24:01 UTC

Created attachment 90901 [details]
Full Error message

Comment 2 Mihai Ibanescu 2003-04-04 17:33:34 UTC

As a result of your stunnel, you should have also seen:

2003.04.04 12:31:15 LOG5[12354:1024]: VERIFY OK: depth=1, /C=US/ST=North
Carolina/L=Research Triangle Park/O=Red Hat, Inc./OU=Red Hat Network
Services/CN=RHNS Certificate Authority/Email=rhns@redhat.com
2003.04.04 12:31:15 LOG5[12354:1024]: VERIFY OK: depth=0, /C=US/ST=North
Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat
Network/CN=www.rhns.redhat.com/Email=rhn-noc@redhat.com


Is there a firewall that blocks outgoing port 443 traffic? From the non-linux
machines can you use SSL? https://www.redhat.com

Comment 3 Joe 2003-04-04 17:53:58 UTC

The firewall allows 443 traffic. 

I can connect via https on the linux computers to non-redhat sites.

Other computers connect through just fine on https to redhat site.

Comment 4 Mihai Ibanescu 2003-04-04 18:04:58 UTC

Can you:

telnet xmlrpc.rhn.redhat.com 443

You should see:
Trying 66.187.232.100...
Connected to xmlrpc.rhn.redhat.com (66.187.232.100).
Escape character is '^]'.

Comment 5 Joe 2003-04-04 21:56:12 UTC

Mihai, thanks for the troubleshooting tips. Your first one got me thinking. If 
other computers can connect, then why not use one of them as a proxy? 

So, I set up a different proxy machine, pointed the linux machines at it, and 
now the SSL on the linux machines works just fine. Up2date is working fine now.

Diagnosis: Windows-based firewall is in a sorry state. Solution: Replace with 
linux firewall & proxy.

I respectfully and apologetically withdraw this bug report.

Note You need to log in before you can comment on or make changes to this bug.