Issue #476
closed
pulp does not run on Fedora 21 beta
Description
The Pulp bindings explicitly configure an m2crypto SSL Context() object with 'sslv3'. My theory is that this is conflicting with Fedora 21+'s new crypto policies[0], which disallow certain cryptography operations by default. I've not dug into the problems deeply enought to be sure of this, but I do know that this context is causing this traceback in Fedora rawhide:
2014-07-24 15:51:35,871 - ERROR - Client-side exception occurred
Traceback (most recent call last):
File "/home/rbarlow/devel/pulp/pulp/client_lib/pulp/client/extensions/core.py", line 478, in run
exit_code = Cli.run(self, args)
File "/usr/lib/python2.7/site-packages/okaara/cli.py", line 974, in run
exit_code = command_or_section.execute(self.prompt, remaining_args)
File "/home/rbarlow/devel/pulp/pulp/client_lib/pulp/client/extensions/extensions.py", line 224, in execute
return self.method(arg_list, **clean_kwargs)
File "/home/rbarlow/devel/pulp/pulp/client_lib/pulp/client/commands/repo/cudl.py", line 342, in run
self.display_repositories(*kwargs)
File "/home/rbarlow/devel/pulp/pulp/client_lib/pulp/client/commands/repo/cudl.py", line 370, in display_repositories
repo_list = self.get_repositories(query_params, **kwargs)
File "/home/rbarlow/devel/pulp/pulp_rpm/extensions_admin/pulp_rpm/extensions/admin/repo_list.py", line 24, in get_repositories
all_repos = self._all_repos(query_params, **kwargs)
File "/home/rbarlow/devel/pulp/pulp_rpm/extensions_admin/pulp_rpm/extensions/admin/repo_list.py", line 66, in _all_repos
self.all_repos_cache = self.context.server.repo.repositories(query_params).response_body
File "/home/rbarlow/devel/pulp/pulp/bindings/pulp/bindings/repository.py", line 34, in repositories
return self.server.GET (path, query_parameters)
File "/home/rbarlow/devel/pulp/pulp/bindings/pulp/bindings/server.py", line 85, in GET
return self._request('GET', path, queries)
File "/home/rbarlow/devel/pulp/pulp/bindings/pulp/bindings/server.py", line 135, in _request
response_code, response_body = self.server_wrapper.request(method, url, body)
File "/home/rbarlow/devel/pulp/pulp/bindings/pulp/bindings/server.py", line 285, in request
connection.request(method, url, body=body, headers=headers)
File "/usr/lib64/python2.7/httplib.py", line 995, in request
self._send_request(method, url, body, headers)
File "/usr/lib64/python2.7/httplib.py", line 1029, in _send_request
self.endheaders(body)
File "/usr/lib64/python2.7/httplib.py", line 991, in endheaders
self._send_output(message_body)
File "/usr/lib64/python2.7/httplib.py", line 844, in _send_output
self.send(msg)
File "/usr/lib64/python2.7/httplib.py", line 806, in send
self.connect()
File "/usr/lib64/python2.7/site-packages/M2Crypto/httpslib.py", line 58, in connect
sock.connect((self.host, self.port))
File "/usr/lib64/python2.7/site-packages/M2Crypto/SSL/Connection.py", line 185, in connect
ret = self.connect_ssl()
File "/usr/lib64/python2.7/site-packages/M2Crypto/SSL/Connection.py", line 178, in connect_ssl
return m2.ssl_connect(self.ssl, self._timeout)
SSLError: sslv3 alert handshake failure
For connections that don't use a context at all, m2crypto is able to connect to the Pulp server correctly. I've also been able to eliminate the server by ensuring that curl and wget are able to accept the Pulp API without issue.
[0] http://fedoraproject.org/wiki/Changes/CryptoPolicy
+ This bug was cloned from Bugzilla Bug #1123515 +
Updated by rbarlow about 9 years ago
I just learned a bit about the supported values for the Context object's protocol argument:
[rbarlow@coconut ~]$ python
Python 2.7.5 (default, Feb 19 2014, 13:47:28)
[GCC 4.8.2 20131212 (Red Hat 4.8.2-7)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
import ssl
dir(ssl)
['CERT_NONE', 'CERT_OPTIONAL', 'CERT_REQUIRED', 'DER_cert_to_PEM_cert', 'OPENSSL_VERSION', 'OPENSSL_VERSION_INFO', 'OPENSSL_VERSION_NUMBER', 'PEM_FOOTER', 'PEM_HEADER', 'PEM_cert_to_DER_cert', 'PROTOCOL_SSLv2', 'PROTOCOL_SSLv23', 'PROTOCOL_SSLv3', 'PROTOCOL_TLSv1', 'RAND_add', 'RAND_egd', 'RAND_status', 'SSLError', 'SSLSocket', 'SSL_ERROR_EOF', 'SSL_ERROR_INVALID_ERROR_CODE', 'SSL_ERROR_SSL', 'SSL_ERROR_SYSCALL', 'SSL_ERROR_WANT_CONNECT', 'SSL_ERROR_WANT_READ', 'SSL_ERROR_WANT_WRITE', 'SSL_ERROR_WANT_X509_LOOKUP', 'SSL_ERROR_ZERO_RETURN', '_DEFAULT_CIPHERS', '_PROTOCOL_NAMES', '_SSLv2_IF_EXISTS', '__builtins__', '__doc__', '__file__', '__name__', '__package__', '_delegate_methods', '_fileobject', '_getnameinfo', '_ssl', 'base64', 'cert_time_to_seconds', 'errno', 'get_protocol_name', 'get_server_certificate', 'socket', 'socket_error', 'sslwrap_simple', 'textwrap', 'wrap_socket']
print ssl._PROTOCOL_NAMES
{0: 'SSLv2', 1: 'SSLv3', 2: 'SSLv23', 3: 'TLSv1'}
This may or may not be useful in figuring out what is going on in rawhide.
+ This comment was cloned from Bugzilla #1123515 comment 1 +
Updated by cduryee about 9 years ago
Moving back to NEW state for now. This is a good BZ to examine after the F21 beta is released.
+ This comment was cloned from Bugzilla #1123515 comment 2 +
Updated by cduryee about 9 years ago
I hit an issue related to kombu with F21 beta but the bindings appear to work OK for me. Do I need to run with verify_ssl enabled? I get the correct error when verify_ssl is not set to False.
+ This comment was cloned from Bugzilla #1123515 comment 3 +
Updated by rbarlow about 9 years ago
Oh wow, I forgot about this. In fixing our POODLE bugs, I changed that argument from "sslv3" to "sslv23", which I now know means "do any protocol you know how to do, including TLS".
I think we can forget about the crypto part of this bug, but I suppose we should fix the other issues you mentioned. Want to keep this bug open to fix those? Can you document what they were?
+ This comment was cloned from Bugzilla #1123515 comment 4 +
Updated by cduryee about 9 years ago
Glad to hear the poodle fix also fixed this:)
I will change the BZ to a general "Pulp does not work on F21 beta" bug.
+ This comment was cloned from Bugzilla #1123515 comment 5 +
Updated by cduryee about 9 years ago
python-kombu 3.0.24 will fix this on fedora 21.
We need to ensure all versions of qpid for various dists have the correct patch. Leaving bz as assigned until kombu is upgraded to 3.0.24 in our deps dir.
+ This comment was cloned from Bugzilla #1123515 comment 6 +
Updated by cduryee about 9 years ago
fixed in pulp 2.6.0-0.2.beta
+ This comment was cloned from Bugzilla #1123515 comment 7 +
Updated by igulina@redhat.com about 9 years ago
rpm -qa pulp-server
pulp-server-2.6.0-0.5.beta.fc21.noarch
pulp-admin -u admin -p admin rpm repo list
--------------------------------------------------------------------
RPM Repositories
--------------------------------------------------------------------
Id: krevetka
Display Name: krevetka
Description: None
Content Unit Counts:
Id: rybka
Display Name: rybka
Description: None
Content Unit Counts:
Erratum: 4
Package Category: 1
Package Group: 2
Rpm: 32
pulp-admin -u admin -p admin rpm repo create --repo-id suslik
Successfully created repository [suslik]
pulp-admin -u admin -p admin rpm repo update --repo-id suslik --display-name="Suslik Grisha"
Repository [suslik] successfully updated
pulp-admin -u admin -p admin rpm repo list
--------------------------------------------------------------------
RPM Repositories
--------------------------------------------------------------------
Id: krevetka
Display Name: krevetka
Description: None
Content Unit Counts:
Id: rybka
Display Name: rybka
Description: None
Content Unit Counts:
Erratum: 4
Package Category: 1
Package Group: 2
Rpm: 32
Id: suslik
Display Name: Suslik Grisha
Description: None
Content Unit Counts:
+ This comment was cloned from Bugzilla #1123515 comment 8 +
Updated by rbarlow about 9 years ago
- Status changed from 6 to CLOSED - CURRENTRELEASE
.