[jira] [Commented] (BROOKLYN-588) SoftwareProcess download with curl can fail on CentOS 7.0 (TLS negotiation)

Aled Sage (JIRA) Fri, 25 May 2018 05:32:23 -0700

    [ 
https://issues.apache.org/jira/browse/BROOKLYN-588?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16490647#comment-16490647
 ]


Aled Sage commented on BROOKLYN-588:
------------------------------------

I think we're hitting 
https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=1170339 and/or 
https://stackoverflow.com/a/44103766/1393883 (i.e. incompatible TLS negotiation 
with github).

When I try running the curl command manually (with {{-v}}), I get:
{noformat}
curl -v -f -L -k --retry 10 --keepalive-time 30 --speed-time 30 
"https://github.com/coreos/etcd/releases/download/v2.3.1/etcd-v2.3.1-linux-amd64.tar.gz";
 -o etcd-v2.3.1-linux-amd64.tar.gz

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* 
About to connect() to github.com port 443 (#0)
*   Trying 192.30.253.113...
* Connected to github.com (192.30.253.113) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* NSS error -12190 (SSL_ERROR_PROTOCOL_VERSION_ALERT)
* Peer reports incompatible or unsupported protocol version.
* Error in TLS handshake, trying SSLv3...
> GET /coreos/etcd/releases/download/v2.3.1/etcd-v2.3.1-linux-amd64.tar.gz 
> HTTP/1.1
> User-Agent: curl/7.29.0
> Host: github.com
> Accept: */*
> 
* Connection died, retrying a fresh connect
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
* Issue another request to this URL: 
'https://github.com/coreos/etcd/releases/download/v2.3.1/etcd-v2.3.1-linux-amd64.tar.gz'
* About to connect() to github.com port 443 (#1)
*   Trying 192.30.253.113...
* Connected to github.com (192.30.253.113) port 443 (#1)
* TLS disabled due to previous handshake failure
* NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
* Cannot communicate securely with peer: no common encryption algorithm(s).
* Closing connection 1
curl: (35) Peer reports incompatible or unsupported protocol version.
Copy linkCopied
{noformat}

When I update curl and nss and repeat this, it downloads correctly:
{noformat}
sudo yum update -y curl
sudo yum update -y nss
{noformat}

A successful download shows use of TLSv1.2.

This problem happens with the following AMI:
{noformat}
imageId=eu-west-1/ami-69841c1e, os={family=centos, arch=hvm, version=7.0, 
description=411009282317/RightImage_CentOS_7.0_x64_v14.2.1_HVM_EBS, 
is64Bit=true}
{noformat}


> SoftwareProcess download with curl can fail on CentOS 7.0 (TLS negotiation)
> ---------------------------------------------------------------------------
>
>                 Key: BROOKLYN-588
>                 URL: https://issues.apache.org/jira/browse/BROOKLYN-588
>             Project: Brooklyn
>          Issue Type: Bug
>    Affects Versions: 0.12.0
>            Reporter: Aled Sage
>            Priority: Major
>
> When a {{SoftwareProcess}} entity needs to download an install artifact, it 
> often uses curl.
> When running CentOS 7.0, this can fail. For example, when attempting to 
> download something from github:
> {noformat}
> /usr/bin/curl
> curl: (37) Couldn't open file 
> /home/users/amp/.brooklyn/repository/EtcdNode/2.3.1/etcd-v2.3.1-linux-amd64.tar.gz
>   % Total    % Received % Xferd  Average Speed   Time    Time     Time  
> Current
>                                  Dload  Upload   Total   Spent    Left  Speed
>   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
>   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
>   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
> curl: (35) Peer reports incompatible or unsupported protocol version.
>   % Total    % Received % Xferd  Average Speed   Time    Time     Time  
> Current
>                                  Dload  Upload   Total   Spent    Left  Speed
>   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
>   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
>   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
> curl: (22) The requested URL returned error: 404 Not Found
> Could not retrieve etcd-v2.3.1-linux-amd64.tar.gz. Tried: 
> file://$HOME/.brooklyn/repository/EtcdNode/2.3.1/etcd-v2.3.1-linux-amd64.tar.gz,
>  
> https://github.com/coreos/etcd/releases/download/v2.3.1/etcd-v2.3.1-linux-amd64.tar.gz,
>  
> http://downloads.cloudsoftcorp.com/brooklyn/repository/EtcdNode/2.3.1/etcd-v2.3.1-linux-amd64.tar.gz
> Executed 
> /tmp/brooklyn-20180521-195405819-Dfo2-installing_EtcdNodeImpl_id_oe3.sh, 
> result 9
> {noformat}
> This can happen when using a 'minimal' location in AWS (e.g. when just 
> specifying the {{osFamily: centos}}, and not an explicit AMI, which defaults 
> to a CentOS 7.0 AMI).



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (BROOKLYN-588) SoftwareProcess download with curl can fail on CentOS 7.0 (TLS negotiation)

Reply via email to