osdir.com


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[jira] [Commented] (BROOKLYN-588) SoftwareProcess download with curl can fail on CentOS 7.0 (TLS negotiation)


    [ https://issues.apache.org/jira/browse/BROOKLYN-588?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16490647#comment-16490647 ] 

Aled Sage commented on BROOKLYN-588:
------------------------------------

I think we're hitting https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=1170339 and/or https://stackoverflow.com/a/44103766/1393883 (i.e. incompatible TLS negotiation with github).

When I try running the curl command manually (with {{-v}}), I get:
{noformat}
curl -v -f -L -k --retry 10 --keepalive-time 30 --speed-time 30 "https://github.com/coreos/etcd/releases/download/v2.3.1/etcd-v2.3.1-linux-amd64.tar.gz"; -o etcd-v2.3.1-linux-amd64.tar.gz

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* About to connect() to github.com port 443 (#0)
*   Trying 192.30.253.113...
* Connected to github.com (192.30.253.113) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* NSS error -12190 (SSL_ERROR_PROTOCOL_VERSION_ALERT)
* Peer reports incompatible or unsupported protocol version.
* Error in TLS handshake, trying SSLv3...
> GET /coreos/etcd/releases/download/v2.3.1/etcd-v2.3.1-linux-amd64.tar.gz HTTP/1.1
> User-Agent: curl/7.29.0
> Host: github.com
> Accept: */*
> 
* Connection died, retrying a fresh connect
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
* Issue another request to this URL: 'https://github.com/coreos/etcd/releases/download/v2.3.1/etcd-v2.3.1-linux-amd64.tar.gz'
* About to connect() to github.com port 443 (#1)
*   Trying 192.30.253.113...
* Connected to github.com (192.30.253.113) port 443 (#1)
* TLS disabled due to previous handshake failure
* NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
* Cannot communicate securely with peer: no common encryption algorithm(s).
* Closing connection 1
curl: (35) Peer reports incompatible or unsupported protocol version.
Copy linkCopied
{noformat}

When I update curl and nss and repeat this, it downloads correctly:
{noformat}
sudo yum update -y curl
sudo yum update -y nss
{noformat}

A successful download shows use of TLSv1.2.

This problem happens with the following AMI:
{noformat}
imageId=eu-west-1/ami-69841c1e, os={family=centos, arch=hvm, version=7.0, description=411009282317/RightImage_CentOS_7.0_x64_v14.2.1_HVM_EBS, is64Bit=true}
{noformat}


> SoftwareProcess download with curl can fail on CentOS 7.0 (TLS negotiation)
> ---------------------------------------------------------------------------
>
>                 Key: BROOKLYN-588
>                 URL: https://issues.apache.org/jira/browse/BROOKLYN-588
>             Project: Brooklyn
>          Issue Type: Bug
>    Affects Versions: 0.12.0
>            Reporter: Aled Sage
>            Priority: Major
>
> When a {{SoftwareProcess}} entity needs to download an install artifact, it often uses curl.
> When running CentOS 7.0, this can fail. For example, when attempting to download something from github:
> {noformat}
> /usr/bin/curl
> curl: (37) Couldn't open file /home/users/amp/.brooklyn/repository/EtcdNode/2.3.1/etcd-v2.3.1-linux-amd64.tar.gz
>   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
>                                  Dload  Upload   Total   Spent    Left  Speed
>   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
>   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
>   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
> curl: (35) Peer reports incompatible or unsupported protocol version.
>   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
>                                  Dload  Upload   Total   Spent    Left  Speed
>   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
>   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
>   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
> curl: (22) The requested URL returned error: 404 Not Found
> Could not retrieve etcd-v2.3.1-linux-amd64.tar.gz. Tried: file://$HOME/.brooklyn/repository/EtcdNode/2.3.1/etcd-v2.3.1-linux-amd64.tar.gz, https://github.com/coreos/etcd/releases/download/v2.3.1/etcd-v2.3.1-linux-amd64.tar.gz, http://downloads.cloudsoftcorp.com/brooklyn/repository/EtcdNode/2.3.1/etcd-v2.3.1-linux-amd64.tar.gz
> Executed /tmp/brooklyn-20180521-195405819-Dfo2-installing_EtcdNodeImpl_id_oe3.sh, result 9
> {noformat}
> This can happen when using a 'minimal' location in AWS (e.g. when just specifying the {{osFamily: centos}}, and not an explicit AMI, which defaults to a CentOS 7.0 AMI).



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)