Project

Profile

Help

Issue #476

pulp does not run on Fedora 21 beta

Added by rbarlow over 6 years ago. Updated over 2 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
High
Assignee:
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Master
Platform Release:
2.6.0
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

The Pulp bindings explicitly configure an m2crypto SSL Context() object with 'sslv3'. My theory is that this is conflicting with Fedora 21+'s new crypto policies[0], which disallow certain cryptography operations by default. I've not dug into the problems deeply enought to be sure of this, but I do know that this context is causing this traceback in Fedora rawhide:

2014-07-24 15:51:35,871 - ERROR - Client-side exception occurred
Traceback (most recent call last):
File "/home/rbarlow/devel/pulp/pulp/client_lib/pulp/client/extensions/core.py", line 478, in run
exit_code = Cli.run(self, args)
File "/usr/lib/python2.7/site-packages/okaara/cli.py", line 974, in run
exit_code = command_or_section.execute(self.prompt, remaining_args)
File "/home/rbarlow/devel/pulp/pulp/client_lib/pulp/client/extensions/extensions.py", line 224, in execute
return self.method(arg_list, **clean_kwargs)
File "/home/rbarlow/devel/pulp/pulp/client_lib/pulp/client/commands/repo/cudl.py", line 342, in run
self.display_repositories(
*kwargs)
File "/home/rbarlow/devel/pulp/pulp/client_lib/pulp/client/commands/repo/cudl.py", line 370, in display_repositories
repo_list = self.get_repositories(query_params, **kwargs)
File "/home/rbarlow/devel/pulp/pulp_rpm/extensions_admin/pulp_rpm/extensions/admin/repo_list.py", line 24, in get_repositories
all_repos = self._all_repos(query_params, **kwargs)
File "/home/rbarlow/devel/pulp/pulp_rpm/extensions_admin/pulp_rpm/extensions/admin/repo_list.py", line 66, in _all_repos
self.all_repos_cache = self.context.server.repo.repositories(query_params).response_body
File "/home/rbarlow/devel/pulp/pulp/bindings/pulp/bindings/repository.py", line 34, in repositories
return self.server.GET (path, query_parameters)
File "/home/rbarlow/devel/pulp/pulp/bindings/pulp/bindings/server.py", line 85, in GET
return self._request('GET', path, queries)
File "/home/rbarlow/devel/pulp/pulp/bindings/pulp/bindings/server.py", line 135, in _request
response_code, response_body = self.server_wrapper.request(method, url, body)
File "/home/rbarlow/devel/pulp/pulp/bindings/pulp/bindings/server.py", line 285, in request
connection.request(method, url, body=body, headers=headers)
File "/usr/lib64/python2.7/httplib.py", line 995, in request
self._send_request(method, url, body, headers)
File "/usr/lib64/python2.7/httplib.py", line 1029, in _send_request
self.endheaders(body)
File "/usr/lib64/python2.7/httplib.py", line 991, in endheaders
self._send_output(message_body)
File "/usr/lib64/python2.7/httplib.py", line 844, in _send_output
self.send(msg)
File "/usr/lib64/python2.7/httplib.py", line 806, in send
self.connect()
File "/usr/lib64/python2.7/site-packages/M2Crypto/httpslib.py", line 58, in connect
sock.connect((self.host, self.port))
File "/usr/lib64/python2.7/site-packages/M2Crypto/SSL/Connection.py", line 185, in connect
ret = self.connect_ssl()
File "/usr/lib64/python2.7/site-packages/M2Crypto/SSL/Connection.py", line 178, in connect_ssl
return m2.ssl_connect(self.ssl, self._timeout)
SSLError: sslv3 alert handshake failure

For connections that don't use a context at all, m2crypto is able to connect to the Pulp server correctly. I've also been able to eliminate the server by ensuring that curl and wget are able to accept the Pulp API without issue.

[0] http://fedoraproject.org/wiki/Changes/CryptoPolicy

+ This bug was cloned from Bugzilla Bug #1123515 +

History

#1 Updated by rbarlow over 6 years ago

I just learned a bit about the supported values for the Context object's protocol argument:

[rbarlow@coconut ~]$ python
Python 2.7.5 (default, Feb 19 2014, 13:47:28)
[GCC 4.8.2 20131212 (Red Hat 4.8.2-7)] on linux2
Type "help", "copyright", "credits" or "license" for more information.

import ssl
dir(ssl)

['CERT_NONE', 'CERT_OPTIONAL', 'CERT_REQUIRED', 'DER_cert_to_PEM_cert', 'OPENSSL_VERSION', 'OPENSSL_VERSION_INFO', 'OPENSSL_VERSION_NUMBER', 'PEM_FOOTER', 'PEM_HEADER', 'PEM_cert_to_DER_cert', 'PROTOCOL_SSLv2', 'PROTOCOL_SSLv23', 'PROTOCOL_SSLv3', 'PROTOCOL_TLSv1', 'RAND_add', 'RAND_egd', 'RAND_status', 'SSLError', 'SSLSocket', 'SSL_ERROR_EOF', 'SSL_ERROR_INVALID_ERROR_CODE', 'SSL_ERROR_SSL', 'SSL_ERROR_SYSCALL', 'SSL_ERROR_WANT_CONNECT', 'SSL_ERROR_WANT_READ', 'SSL_ERROR_WANT_WRITE', 'SSL_ERROR_WANT_X509_LOOKUP', 'SSL_ERROR_ZERO_RETURN', '_DEFAULT_CIPHERS', '_PROTOCOL_NAMES', '_SSLv2_IF_EXISTS', '__builtins__', '__doc__', '__file__', '__name__', '__package__', '_delegate_methods', '_fileobject', '_getnameinfo', '_ssl', 'base64', 'cert_time_to_seconds', 'errno', 'get_protocol_name', 'get_server_certificate', 'socket', 'socket_error', 'sslwrap_simple', 'textwrap', 'wrap_socket']

print ssl._PROTOCOL_NAMES

{0: 'SSLv2', 1: 'SSLv3', 2: 'SSLv23', 3: 'TLSv1'}

This may or may not be useful in figuring out what is going on in rawhide.

+ This comment was cloned from Bugzilla #1123515 comment 1 +

#2 Updated by cduryee over 6 years ago

Moving back to NEW state for now. This is a good BZ to examine after the F21 beta is released.

+ This comment was cloned from Bugzilla #1123515 comment 2 +

#3 Updated by cduryee over 6 years ago

I hit an issue related to kombu with F21 beta but the bindings appear to work OK for me. Do I need to run with verify_ssl enabled? I get the correct error when verify_ssl is not set to False.

+ This comment was cloned from Bugzilla #1123515 comment 3 +

#4 Updated by rbarlow over 6 years ago

Oh wow, I forgot about this. In fixing our POODLE bugs, I changed that argument from "sslv3" to "sslv23", which I now know means "do any protocol you know how to do, including TLS".

I think we can forget about the crypto part of this bug, but I suppose we should fix the other issues you mentioned. Want to keep this bug open to fix those? Can you document what they were?

+ This comment was cloned from Bugzilla #1123515 comment 4 +

#5 Updated by cduryee over 6 years ago

Glad to hear the poodle fix also fixed this:)

I will change the BZ to a general "Pulp does not work on F21 beta" bug.

+ This comment was cloned from Bugzilla #1123515 comment 5 +

#6 Updated by cduryee over 6 years ago

python-kombu 3.0.24 will fix this on fedora 21.

We need to ensure all versions of qpid for various dists have the correct patch. Leaving bz as assigned until kombu is upgraded to 3.0.24 in our deps dir.

+ This comment was cloned from Bugzilla #1123515 comment 6 +

#7 Updated by cduryee over 6 years ago

fixed in pulp 2.6.0-0.2.beta

+ This comment was cloned from Bugzilla #1123515 comment 7 +

#8 Updated by igulina@redhat.com over 6 years ago

rpm -qa pulp-server

pulp-server-2.6.0-0.5.beta.fc21.noarch

pulp-admin -u admin -p admin rpm repo list

--------------------------------------------------------------------
RPM Repositories
--------------------------------------------------------------------

Id: krevetka
Display Name: krevetka
Description: None
Content Unit Counts:

Id: rybka
Display Name: rybka
Description: None
Content Unit Counts:
Erratum: 4
Package Category: 1
Package Group: 2
Rpm: 32

pulp-admin -u admin -p admin rpm repo create --repo-id suslik

Successfully created repository [suslik]

pulp-admin -u admin -p admin rpm repo update --repo-id suslik --display-name="Suslik Grisha"

Repository [suslik] successfully updated

pulp-admin -u admin -p admin rpm repo list

--------------------------------------------------------------------
RPM Repositories
--------------------------------------------------------------------

Id: krevetka
Display Name: krevetka
Description: None
Content Unit Counts:

Id: rybka
Display Name: rybka
Description: None
Content Unit Counts:
Erratum: 4
Package Category: 1
Package Group: 2
Rpm: 32

Id: suslik
Display Name: Suslik Grisha
Description: None
Content Unit Counts:

+ This comment was cloned from Bugzilla #1123515 comment 8 +

#9 Updated by bmbouter over 6 years ago

  • Severity changed from Medium to 2. Medium

#10 Updated by rbarlow over 6 years ago

  • Status changed from 6 to CLOSED - CURRENTRELEASE

#12 Updated by bmbouter over 2 years ago

  • Tags Pulp 2 added

Please register to edit this issue

Also available in: Atom PDF