Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 87985 - up2date fails with SSL handshake failure
Summary: up2date fails with SSL handshake failure
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: up2date
Version: 4.0
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Adrian Likins
QA Contact: Red Hat Satellite QA List
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-04-04 10:22 UTC by Joe
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2003-04-04 21:56:12 UTC


Attachments (Terms of Use)
Full Error message (deleted)
2003-04-04 17:24 UTC, Joe
no flags Details

Description Joe 2003-04-04 10:22:49 UTC
Description of problem:
(This may be related to bug 69781, except in that case, the error message came 
after a successful connection.)

My system is having problems connecting to RHN via up2date. I've tried the 
applet, and I've tried up2date on the command line, both with and without the --
nox option. With the GUI version, I get an error window, and with the command 
line version, I get a shorter version of the same message. 

I signed up for the basic service two days ago, but still no luck connecting. 

I built a second RH linux box, but no-go with that one either...but the first 
time the error window popped up, at least there was another window behind it 
asking me to install the GPG key.

When I try to register the second machine, the GUI freezes on the first window. 
Registering via "up2date --register" or "up2date --nox --register" fails as 
well. After about 10 minutes, the SSL error message pops up again.

I can connect via telnet to xmlrpc.rhn.redhat.com 443
The rhnsd service is running, set to run in levels 3, 4, and 5.
Date/Time are set appropriately via NTP.
Nameservers are set correctly in /etc/resolv.conf
Satellite connection.
URLs in up2date config file are correct.

This problem started 4 days ago, and up2date worked fine before then. Nothing 
unusual was done/changed to the system or firewall.
The second system is a fresh install and has never had a successful connection 
to RHN.
Reproducible always on both.

Some interesting things I noticed:

1) This started about the same time that 9.0 ISO was released for downloading.

2) tcpdump shows successful DNS query, then syn flag from me to RHN, then 
syn/ack from RHN, then a series of unanswered acks from me to RHN, then about 3-
4 minutes later, a fin from RHN, then a rst.

3) what really is weird, and may be a good clue (I hope): I can't connect via 
web browser to *any* of the redhat.com sites, http or https. Only RedHat sites. 
Any other site is browsable. My non-linux computers can connect to 
<server>.redhat.com just fine. The tcpdump for this shows the same pattern as 
above. The nameserver pops right up with an IP for RedHat servers.

Version-Release number of selected component (if applicable):
kernel v. 2.4.18-27.8.0
openSSL v. 0.9.6b
up2date v. 3.0.7

How reproducible:
Always.

Steps to Reproduce:
1. Run up2date in any form (GUI or command line)
2. Error occurs
3.
    
Actual results:
Error: [('SSL routines', 'SSL23_WRITE', 'ssl handshake failure')]

Expected results:
Successful connection

Additional info:
running:
/usr/sbin/stunnel -r xmlrpc.rhn.redhat.com:443 -cf -v 2 -A /usr/share/rhn/RHNS-
CA-CERT

produces:
-------------------------
2003.04.03 20:48:28 LOG5[14407:16384]: Using 'xmlrpc.rhn.redhat.com.443' as 
tcpwrapper service name
2003.04.03 20:48:28 LOG5[14407:16384]: stunnel 3.22 on i386-redhat-linux-gnu 
PTHREAD+LIBWRAP with OpenSSL 0.9.6b [engine] 9 Jul 2001
---------------------------
It stopped after that...is it supposed to spew forth anything after this?

Comment 1 Joe 2003-04-04 17:24:01 UTC
Created attachment 90901 [details]
Full Error message

Comment 2 Mihai Ibanescu 2003-04-04 17:33:34 UTC
As a result of your stunnel, you should have also seen:

2003.04.04 12:31:15 LOG5[12354:1024]: VERIFY OK: depth=1, /C=US/ST=North
Carolina/L=Research Triangle Park/O=Red Hat, Inc./OU=Red Hat Network
Services/CN=RHNS Certificate Authority/Email=rhns@redhat.com
2003.04.04 12:31:15 LOG5[12354:1024]: VERIFY OK: depth=0, /C=US/ST=North
Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat
Network/CN=www.rhns.redhat.com/Email=rhn-noc@redhat.com


Is there a firewall that blocks outgoing port 443 traffic? From the non-linux
machines can you use SSL? https://www.redhat.com

Comment 3 Joe 2003-04-04 17:53:58 UTC
The firewall allows 443 traffic. 

I can connect via https on the linux computers to non-redhat sites.

Other computers connect through just fine on https to redhat site.

Comment 4 Mihai Ibanescu 2003-04-04 18:04:58 UTC
Can you:

telnet xmlrpc.rhn.redhat.com 443

You should see:
Trying 66.187.232.100...
Connected to xmlrpc.rhn.redhat.com (66.187.232.100).
Escape character is '^]'.



Comment 5 Joe 2003-04-04 21:56:12 UTC
Mihai, thanks for the troubleshooting tips. Your first one got me thinking. If 
other computers can connect, then why not use one of them as a proxy? 

So, I set up a different proxy machine, pointed the linux machines at it, and 
now the SSL on the linux machines works just fine. Up2date is working fine now.

Diagnosis: Windows-based firewall is in a sorry state. Solution: Replace with 
linux firewall & proxy.

I respectfully and apologetically withdraw this bug report.


Note You need to log in before you can comment on or make changes to this bug.