|Summary:||up2date fails with SSL handshake failure|
|Product:||Red Hat Enterprise Linux 4||Reporter:||Joe <jbly>|
|Component:||up2date||Assignee:||Adrian Likins <alikins>|
|Status:||CLOSED NOTABUG||QA Contact:||Red Hat Satellite QA List <satellite-qa-list>|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2003-04-04 21:56:12 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Joe 2003-04-04 10:22:49 UTC
Description of problem: (This may be related to bug 69781, except in that case, the error message came after a successful connection.) My system is having problems connecting to RHN via up2date. I've tried the applet, and I've tried up2date on the command line, both with and without the -- nox option. With the GUI version, I get an error window, and with the command line version, I get a shorter version of the same message. I signed up for the basic service two days ago, but still no luck connecting. I built a second RH linux box, but no-go with that one either...but the first time the error window popped up, at least there was another window behind it asking me to install the GPG key. When I try to register the second machine, the GUI freezes on the first window. Registering via "up2date --register" or "up2date --nox --register" fails as well. After about 10 minutes, the SSL error message pops up again. I can connect via telnet to xmlrpc.rhn.redhat.com 443 The rhnsd service is running, set to run in levels 3, 4, and 5. Date/Time are set appropriately via NTP. Nameservers are set correctly in /etc/resolv.conf Satellite connection. URLs in up2date config file are correct. This problem started 4 days ago, and up2date worked fine before then. Nothing unusual was done/changed to the system or firewall. The second system is a fresh install and has never had a successful connection to RHN. Reproducible always on both. Some interesting things I noticed: 1) This started about the same time that 9.0 ISO was released for downloading. 2) tcpdump shows successful DNS query, then syn flag from me to RHN, then syn/ack from RHN, then a series of unanswered acks from me to RHN, then about 3- 4 minutes later, a fin from RHN, then a rst. 3) what really is weird, and may be a good clue (I hope): I can't connect via web browser to *any* of the redhat.com sites, http or https. Only RedHat sites. Any other site is browsable. My non-linux computers can connect to <server>.redhat.com just fine. The tcpdump for this shows the same pattern as above. The nameserver pops right up with an IP for RedHat servers. Version-Release number of selected component (if applicable): kernel v. 2.4.18-27.8.0 openSSL v. 0.9.6b up2date v. 3.0.7 How reproducible: Always. Steps to Reproduce: 1. Run up2date in any form (GUI or command line) 2. Error occurs 3. Actual results: Error: [('SSL routines', 'SSL23_WRITE', 'ssl handshake failure')] Expected results: Successful connection Additional info: running: /usr/sbin/stunnel -r xmlrpc.rhn.redhat.com:443 -cf -v 2 -A /usr/share/rhn/RHNS- CA-CERT produces: ------------------------- 2003.04.03 20:48:28 LOG5[14407:16384]: Using 'xmlrpc.rhn.redhat.com.443' as tcpwrapper service name 2003.04.03 20:48:28 LOG5[14407:16384]: stunnel 3.22 on i386-redhat-linux-gnu PTHREAD+LIBWRAP with OpenSSL 0.9.6b [engine] 9 Jul 2001 --------------------------- It stopped after that...is it supposed to spew forth anything after this?
Comment 2 Mihai Ibanescu 2003-04-04 17:33:34 UTC
As a result of your stunnel, you should have also seen: 2003.04.04 12:31:15 LOG5[12354:1024]: VERIFY OK: depth=1, /C=US/ST=North Carolina/L=Research Triangle Park/O=Red Hat, Inc./OU=Red Hat Network Services/CN=RHNS Certificate Authority/Emailfirstname.lastname@example.org 2003.04.04 12:31:15 LOG5[12354:1024]: VERIFY OK: depth=0, /C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat Network/CN=www.rhns.redhat.com/Emailemail@example.com Is there a firewall that blocks outgoing port 443 traffic? From the non-linux machines can you use SSL? https://www.redhat.com
Comment 3 Joe 2003-04-04 17:53:58 UTC
The firewall allows 443 traffic. I can connect via https on the linux computers to non-redhat sites. Other computers connect through just fine on https to redhat site.
Comment 4 Mihai Ibanescu 2003-04-04 18:04:58 UTC
Can you: telnet xmlrpc.rhn.redhat.com 443 You should see: Trying 126.96.36.199... Connected to xmlrpc.rhn.redhat.com (188.8.131.52). Escape character is '^]'.
Comment 5 Joe 2003-04-04 21:56:12 UTC
Mihai, thanks for the troubleshooting tips. Your first one got me thinking. If other computers can connect, then why not use one of them as a proxy? So, I set up a different proxy machine, pointed the linux machines at it, and now the SSL on the linux machines works just fine. Up2date is working fine now. Diagnosis: Windows-based firewall is in a sorry state. Solution: Replace with linux firewall & proxy. I respectfully and apologetically withdraw this bug report.