<div dir="ltr"><div><div>Florian, thank you for the tip and the patch! We do have Bluecoat, and I just confirmed that we are at SGOS 6.4.3.1, which apparently does not support TLS 1.2. <br><br></div>We are currently discussing the best way forward - either allowing this server to bypass the proxy, or modifying the Python per your patch. Thanks again for chasing this down and sharing your findings.<br>
<br></div>Christina<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Mar 11, 2014 at 2:17 AM, Florian Sachs <span dir="ltr"><<a href="mailto:florian.sachs@bmlvs.gv.at" target="_blank">florian.sachs@bmlvs.gv.at</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
Hi Christina,<br>
<br>
I ran into the same problem recently (Client Hello, RST) , as our
Bluecoat Proxy doesn't like TLS1.2 much...<br>
<br>
Pulp uses python-requests to download packages and I was able to
change the behaviour there. See
<a href="https://bugzilla.redhat.com/show_bug.cgi?id=1039471#c4" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=1039471#c4</a> for the diff.
<br>
<br>
best regards,<br>
florian<br>
<br>
<div>On 03/10/2014 09:56 PM, Christina
Plummer wrote:<br>
</div>
<blockquote type="cite">
<p>--<br>
!!! ACHTUNG !!! <br>
Die elektronische DKIM-Signatur die der absendende Mailserver
der Nachricht beigefügt hat, ist Fehlerhaft. Es handelt sich bei
dieser Mail mit großer Wahrscheinlichkeit um eine
Faelschung/Spam etc. <a href="http://mx3-phx2.redhat.com" target="_blank">mx3-phx2.redhat.com</a> ist nicht
vertrauenswuerdig!<br>
--</p><div><div class="h5">
<div dir="ltr">
<div>Update - after studying the packet captures, I noticed that
all the failures (both Pulp2.3 and openssl s_client) were when
TLS 1.2 was used. When I forced s_client to use TLS 1.0 or
1.1, the SSL handshake succeeded.<br>
<br>
</div>
Is there a way to force Pulp to use TLS 1.0?<br>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Mon, Mar 10, 2014 at 4:14 PM,
Christina Plummer <span dir="ltr"><<a href="mailto:cplummer@gmail.com" target="_blank">cplummer@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>We do go through a proxy, but
authentication is not required on
port 443. Both servers are on the
same subnet.<br>
<br>
</div>
Pulp-2.1.3-server:<br>
</div>
<div> * RHEL 6.5 x86_64<br>
</div>
* yum to <a href="http://cdn.redhat.com" target="_blank">cdn.redhat.com</a>
works<br>
</div>
* curl to <a href="http://cdn.redhat.com" target="_blank">cdn.redhat.com</a>
works<br>
</div>
* Pulp to <a href="http://cdn.redhat.com" target="_blank">cdn.redhat.com</a> works<br>
<br>
</div>
Pulp-2.3.1-server:<br>
</div>
<div> * RHEL 6.5 x86_64<br>
</div>
* yum to <a href="http://cdn.redhat.com" target="_blank">cdn.redhat.com</a>
works<br>
</div>
* curl to <a href="http://cdn.redhat.com" target="_blank">cdn.redhat.com</a>
works<br>
</div>
* Pulp to <a href="http://cdn.redhat.com" target="_blank">cdn.redhat.com</a>
fails<br>
<br>
</div>
(I couldn't get openssl s_client to work on either
one, but I think that is probably user error or
otherwise irrelevant)<br>
<br>
</div>
I did packet captures on both servers while running
"pulp rpm repo sync run". <br>
On the 2.3.1 server, the SSL Client Hello does not
include a Server Name, and is followed by a RST. <br>
On the 2.1.3 server, the SSL Client Hello includes a
Server Name of <a href="http://cdn.redhat.com" target="_blank">cdn.redhat.com</a>,
and is followed by a SSL Server Hello and the rest of
the process proceeds as expected.<br>
<br>
</div>
So... why is the 2.3.1 not sending a Server Name is its
SSL Client Hello?<br>
<br>
</div>
Thanks,<br>
Christina<br>
<div>
<div><br>
</div>
</div>
</div>
<div>
<div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Sat, Mar 8, 2014 at 12:54
AM, Steven Roberts <span dir="ltr"><<a href="mailto:strobert@strobe.net" target="_blank">strobert@strobe.net</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I
sort of recall having a similar cert issue around
the same time I<br>
upgraded to 2.3 but we had two external issues:<br>
- our accounting group decided to change our RH
account so we had to get<br>
new entitlement certs<br>
- a proxy had been added to out outbound
connection causing a server<br>
cert issue.<br>
<br>
are you behind a proxy? thinking maybe doing a
'openssl s_client'<br>
to get the cert to confirm it is the one you are
expecting...<br>
<br>
that socket reset sounds like one side isn't
liking the SSL<br>
negotiation which could be a client or server
issue.<br>
<br>
I would check the ssl side of things, you could
also tcpdump/tshark<br>
the connection to see if one side is raising an
ssl error...<br>
<br>
Steve<br>
<div>
<div><br>
On Fri, Mar 07, 2014 at 09:00:51PM -0500,
Christina Plummer wrote:<br>
> Hi Steve,<br>
> Both the 2.1 and 2.3 Pulp servers are
running RHEL 6.5.<br>
><br>
> Thanks,<br>
> Christina<br>
><br>
> Sent from mobile<br>
><br>
> > On Mar 7, 2014, at 8:28 PM, Steven
Roberts <<a href="mailto:strobert@strobe.net" target="_blank">strobert@strobe.net</a>>
wrote:<br>
> ><br>
> > what os,arch are you running your
pulp server on?<br>
> ><br>
> > I am on a RHEL 6 (64bit) box with
pulp 2.3.1-1 package and my sync's<br>
> > of RH CDN are working.<br>
> ><br>
> > I have feed-cert and feed-key (both
set to the same .pem I downloaded<br>
> > from RH using the instructions in
the pulp guide).<br>
> ><br>
> > I did just look and I am setting the
feed-ca-cert to a redhat-uep.pem<br>
> > (and I also have skipping of DRPMS
as we don't use them in our env)<br>
> ><br>
> > Steve<br>
> ><br>
> >> On Fri, Mar 07, 2014 at
04:50:21PM -0500, Christina Plummer wrote:<br>
> >> Update - I was able to use curl
to download the repomd.xml file that Pulp<br>
> >> seems to be choking on. So I am
definitely thinking this is a Pulp 2.3<br>
> >> problem.<br>
> >><br>
> >> This worked:<br>
> >> sudo curl -v<br>
> >> <a href="https://cdn.redhat.com/content/dist/rhel/server/6/6Server/x86_64/os/repodata/repomd.xml--cacert" target="_blank">https://cdn.redhat.com/content/dist/rhel/server/6/6Server/x86_64/os/repodata/repomd.xml--cacert</a><br>
> >> /etc/rhsm/ca/redhat-uep.pem
--cert<br>
> >>
/etc/pki/entitlement/1545770057920900266.pem
--key<br>
> >>
/etc/pki/entitlement/1545770057920900266-key.pem<br>
> >><br>
> >><br>
> >><br>
> >><br>
> >> On Fri, Mar 7, 2014 at 4:02 PM,
Christina Plummer <<a href="mailto:cplummer@gmail.com" target="_blank">cplummer@gmail.com</a>>wrote:<br>
> >><br>
> >>> I've been working with Pulp
2.1.3 for several months, and decided that I<br>
> >>> wanted to get 2.3.1 stood up
on a new server and migrate over to it.<br>
> >>> Unfortunately, I have not
been able to get Pulp 2.3.1 to sync from the
Red<br>
> >>> Hat channels. Here is the
error I get:<br>
> >>> Downloading metadata...<br>
> >>> [\]<br>
> >>> ... failed<br>
> >>><br>
> >>> HTTPSConnectionPool(host='<a href="http://cdn.redhat.com" target="_blank">cdn.redhat.com</a>',
port=443): Max retries<br>
> >>> exceeded with<br>
> >>> url:
/content/dist/rhel/server/6/6Server/x86_64/os/repodata/repomd.xml<br>
> >>> (Caused<br>
> >>> by <class
'socket.error'>: [Errno 104] Connection
reset by peer)<br>
> >>><br>
> >>> I don't believe I have a
network or subscription/entitlement issue,<br>
> >>> because I am able to use yum
to update packages from <a href="http://cdn.redhat.com" target="_blank">cdn.redhat.com</a>.
I<br>
> >>> set up my Pulp 2.3.1 repos
in the same way as I have them on my 2.1.3<br>
> >>> server, e.g.<br>
> >>><br>
> >>> sudo pulp-admin rpm repo
create --repo-id=live-rhel6-x86_64<br>
> >>> --description="RHEL6 x86_64
Latest"<br>
> >>>
--feed-cert=/etc/pki/entitlement/1545770057920900266.pem<br>
> >>>
--feed-key=/etc/pki/entitlement/1545770057920900266-key.pem
--feed=<a href="https://cdn.redhat.com/content/dist/rhel/server/6/6Server/x86_64/os" target="_blank">https://cdn.redhat.com/content/dist/rhel/server/6/6Server/x86_64/os</a><br>
> >>> --retain-old-count=1<<a href="https://cdn.redhat.com/content/dist/rhel/server/6/6Server/x86_64/os--retain-old-count=1" target="_blank">https://cdn.redhat.com/content/dist/rhel/server/6/6Server/x86_64/os--retain-old-count=1</a>>--validate=true
--relative-url=rhel6/x86_64 --serve-http=true<br>
> >>> --serve-https=false<br>
> >>>
--gpg-key=/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-legacy-release<br>
> >>> I am still able to sync from
RHN to my Pulp 2.1.3 server, so there doesn't<br>
> >>> seem to be an issue with Red
Hat itself.<br>
> >>><br>
> >>> It seems like an SSL error,
but I can't figure out what it would be... I<br>
> >>> tried adding
--feed-ca-cert=/etc/rhsm/ca/redhat-uep.pem,
but that didn't<br>
> >>> seem to have any effect (and
hasn't been needed on my 2.1.3 server).<br>
> >>><br>
> >>> Any ideas? Has anyone else
got syncing from <a href="http://cdn.redhat.com" target="_blank">cdn.redhat.com</a>
working on<br>
> >>> Pulp 2.3.1?<br>
> >>><br>
> >>> Thanks,<br>
> >>> Christina<br>
> ><br>
> >>
_______________________________________________<br>
> >> Pulp-list mailing list<br>
> >> <a href="mailto:Pulp-list@redhat.com" target="_blank">Pulp-list@redhat.com</a><br>
> >> <a href="https://www.redhat.com/mailman/listinfo/pulp-list" target="_blank">https://www.redhat.com/mailman/listinfo/pulp-list</a><br>
> ><br>
><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Pulp-list mailing list
<a href="mailto:Pulp-list@redhat.com" target="_blank">Pulp-list@redhat.com</a>
<a href="https://www.redhat.com/mailman/listinfo/pulp-list" target="_blank">https://www.redhat.com/mailman/listinfo/pulp-list</a></pre>
</div></div></blockquote><span class="HOEnZb"><font color="#888888">
<br>
<pre cols="72">--
Florian Sachs
Bundesministerium für Landesverteidigung und Sport
Führungsunterstützungszentrum / IKT-Te / HW&SysSW / SE2VE
Stiftgasse 2a 1070, Wien
Postadresse: Rossauer Lände 1, 1090 Wien
Tel.: <a href="tel:%2B43%2050201%2010%2033466" value="+43502011033466" target="_blank">+43 50201 10 33466</a>
</pre>
</font></span></div>
</blockquote></div><br></div>