Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 87985

Summary: up2date fails with SSL handshake failure
Product: Red Hat Enterprise Linux 4 Reporter: Joe <jbly>
Component: up2dateAssignee: Adrian Likins <alikins>
Status: CLOSED NOTABUG QA Contact: Red Hat Satellite QA List <satellite-qa-list>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0CC: rhn-bugs
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-04-04 21:56:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Description Flags
Full Error message none

Description Joe 2003-04-04 10:22:49 UTC
Description of problem:
(This may be related to bug 69781, except in that case, the error message came 
after a successful connection.)

My system is having problems connecting to RHN via up2date. I've tried the 
applet, and I've tried up2date on the command line, both with and without the --
nox option. With the GUI version, I get an error window, and with the command 
line version, I get a shorter version of the same message. 

I signed up for the basic service two days ago, but still no luck connecting. 

I built a second RH linux box, but no-go with that one either...but the first 
time the error window popped up, at least there was another window behind it 
asking me to install the GPG key.

When I try to register the second machine, the GUI freezes on the first window. 
Registering via "up2date --register" or "up2date --nox --register" fails as 
well. After about 10 minutes, the SSL error message pops up again.

I can connect via telnet to 443
The rhnsd service is running, set to run in levels 3, 4, and 5.
Date/Time are set appropriately via NTP.
Nameservers are set correctly in /etc/resolv.conf
Satellite connection.
URLs in up2date config file are correct.

This problem started 4 days ago, and up2date worked fine before then. Nothing 
unusual was done/changed to the system or firewall.
The second system is a fresh install and has never had a successful connection 
to RHN.
Reproducible always on both.

Some interesting things I noticed:

1) This started about the same time that 9.0 ISO was released for downloading.

2) tcpdump shows successful DNS query, then syn flag from me to RHN, then 
syn/ack from RHN, then a series of unanswered acks from me to RHN, then about 3-
4 minutes later, a fin from RHN, then a rst.

3) what really is weird, and may be a good clue (I hope): I can't connect via 
web browser to *any* of the sites, http or https. Only RedHat sites. 
Any other site is browsable. My non-linux computers can connect to 
<server> just fine. The tcpdump for this shows the same pattern as 
above. The nameserver pops right up with an IP for RedHat servers.

Version-Release number of selected component (if applicable):
kernel v. 2.4.18-27.8.0
openSSL v. 0.9.6b
up2date v. 3.0.7

How reproducible:

Steps to Reproduce:
1. Run up2date in any form (GUI or command line)
2. Error occurs
Actual results:
Error: [('SSL routines', 'SSL23_WRITE', 'ssl handshake failure')]

Expected results:
Successful connection

Additional info:
/usr/sbin/stunnel -r -cf -v 2 -A /usr/share/rhn/RHNS-

2003.04.03 20:48:28 LOG5[14407:16384]: Using '' as 
tcpwrapper service name
2003.04.03 20:48:28 LOG5[14407:16384]: stunnel 3.22 on i386-redhat-linux-gnu 
PTHREAD+LIBWRAP with OpenSSL 0.9.6b [engine] 9 Jul 2001
It stopped after it supposed to spew forth anything after this?

Comment 1 Joe 2003-04-04 17:24:01 UTC
Created attachment 90901 [details]
Full Error message

Comment 2 Mihai Ibanescu 2003-04-04 17:33:34 UTC
As a result of your stunnel, you should have also seen:

2003.04.04 12:31:15 LOG5[12354:1024]: VERIFY OK: depth=1, /C=US/ST=North
Carolina/L=Research Triangle Park/O=Red Hat, Inc./OU=Red Hat Network
Services/CN=RHNS Certificate Authority/
2003.04.04 12:31:15 LOG5[12354:1024]: VERIFY OK: depth=0, /C=US/ST=North
Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat

Is there a firewall that blocks outgoing port 443 traffic? From the non-linux
machines can you use SSL?

Comment 3 Joe 2003-04-04 17:53:58 UTC
The firewall allows 443 traffic. 

I can connect via https on the linux computers to non-redhat sites.

Other computers connect through just fine on https to redhat site.

Comment 4 Mihai Ibanescu 2003-04-04 18:04:58 UTC
Can you:

telnet 443

You should see:
Connected to (
Escape character is '^]'.

Comment 5 Joe 2003-04-04 21:56:12 UTC
Mihai, thanks for the troubleshooting tips. Your first one got me thinking. If 
other computers can connect, then why not use one of them as a proxy? 

So, I set up a different proxy machine, pointed the linux machines at it, and 
now the SSL on the linux machines works just fine. Up2date is working fine now.

Diagnosis: Windows-based firewall is in a sorry state. Solution: Replace with 
linux firewall & proxy.

I respectfully and apologetically withdraw this bug report.