#414 SSL: SSLV3_ALERT_HANDSHAKE_FAILURE
Closed: Fixed 5 years ago Opened 5 years ago by skbrash.

I'm installing a new koji build system from fedora fc25. Have all the pieces installed and started following the "Koji Server Bootstrap" document (https://docs.pagure.org/koji/server_bootstrap/). koji hello works, koji import worked and koji add-tag worked. When I list-pkgs or list-hosts I get the Title SSL failure. On my koji web site, the package has been imported and the tag has been added.
.
All koji packages are 1.12.0-2. Using python 2.7.13-1. Using openssl 1.0.2k-1 (all fedora fc25 packages). Running on an x86_64 system multi-user.target. Last dnf update was done this morning.

Outputs from koji client below:

koji hello
hallo, steve!

You are using the hub at https://hub.stevenet.com/kojihub
Authenticated via client certificate /home/steve/.koji/client.crt

koji import ./brasher-release-25-1.src.rpm
uploading ./brasher-release-25-1.src.rpm... done
importing ./brasher-release-25-1.src.rpm... done

koji add-tag dist-f25 (no response, no error)

koji list-pkgs
SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:661)

koji list-hosts
SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:661)


Trace from client, this may help

koji -d list-pkgs
2017-05-09 19:21:26,406 [DEBUG] koji: Opening new requests session
2017-05-09 19:21:26,416 [DEBUG] koji: Opening new requests session
Traceback (most recent call last):
File "/usr/bin/koji", line 7545, in <module>
rv = locals()[command].call(options, session, args)
File "/usr/bin/koji", line 3238, in anon_handle_list_pkgs
activate_session(session)
File "/usr/bin/koji", line 7521, in activate_session
ensure_connection(session)
File "/usr/bin/koji", line 277, in ensure_connection
ret = session.getAPIVersion()
File "/usr/lib/python2.7/site-packages/koji/init.py", line 1951, in call
return self.func(self.__name, args, opts)
File "/usr/lib/python2.7/site-packages/koji/__init
.py", line 2371, in _callMethod
return self._sendCall(handler, headers, request)
File "/usr/lib/python2.7/site-packages/koji/init.py", line 2284, in _sendCall
return self._sendOneCall(handler, headers, request)
File "/usr/lib/python2.7/site-packages/koji/init.py", line 2329, in _sendOneCall
r = self.rsession.post(handler, callopts)
File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 518, in post
return self.request('POST', url, data=data, json=json,
kwargs)
File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 475, in request
resp = self.send(prep, send_kwargs)
File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 585, in send
r = adapter.send(request,
kwargs)
File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 477, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:661)

Interesting, the difference between the successful commands and the failing ones is authentication. All the successful ones have to authenticate to do their work, but the failing ones are informational and so they skip that part.

  1. Can you try the failing commands with --force-auth (e.g. koji --force-auth list-hosts)? I suspect this will work around the issue.
  2. Can you paste the output of koji --noauth --debug --debug-xmlrpc call echo test (that is, assuming this fails)?

Thanks for the reply. Seems to work with the --force-auth, outputs you requested are below. When I get the failure, I'll use the --force-auth so I can complete the koji install.

Thanks again.

Steve


[steve@stevedell ~]$ koji hello
ciao, steve!

You are using the hub at https://hub.stevenet.com/kojihub
Authenticated via client certificate /home/steve/.koji/client.crt

Without --force-auth
[steve@stevedell ~]$ koji list-pkgs
SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:661)

With --force-auth
[steve@stevedell ~]$ koji --force-auth list-hosts
Hostname Enb Rdy Load/Cap Arches Last Update
[steve@stevedell ~]$ koji --force-auth list-pkgs
(no matching packages)

Calll echo test
koji --noauth --debug --debug-xmlrpc call echo test
2017-05-11 16:12:59,154 [DEBUG] koji: Opening new requests session
url: https://hub.stevenet.com/kojihub
headers: {'Content-Length': '107', 'Content-Type': 'text/xml', 'User-Agent': 'koji/1.7'}
data: "<?xml version='1.0'?>\n<methodCall>\n<methodName>getAPIVersion</methodName>\n<params>\n</params>\n</methodCall>\n"
timeout: 43200
stream: True
verify: '/home/steve/.koji/serverca.crt'
2017-05-11 16:12:59,166 [DEBUG] koji: Opening new requests session
Traceback (most recent call last):
File "/usr/bin/koji", line 7545, in <module>
rv = locals()[command].call(options, session, args)
File "/usr/bin/koji", line 1356, in handle_call
activate_session(session)
File "/usr/bin/koji", line 7521, in activate_session
ensure_connection(session)
File "/usr/bin/koji", line 277, in ensure_connection
ret = session.getAPIVersion()
File "/usr/lib/python2.7/site-packages/koji/init.py", line 1951, in call
return self.func(self.__name, args, opts)
File "/usr/lib/python2.7/site-packages/koji/__init
.py", line 2371, in _callMethod
return self._sendCall(handler, headers, request)
File "/usr/lib/python2.7/site-packages/koji/init.py", line 2284, in _sendCall
return self._sendOneCall(handler, headers, request)
File "/usr/lib/python2.7/site-packages/koji/init.py", line 2329, in _sendOneCall
r = self.rsession.post(handler, callopts)
File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 518, in post
return self.request('POST', url, data=data, json=json,
kwargs)
File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 475, in request
resp = self.send(prep, send_kwargs)
File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 585, in send
r = adapter.send(request,
kwargs)
File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 477, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:661)

Call echo test with --force-auth
koji --force-auth --debug --debug-xmlrpc call echo test
2017-05-11 16:14:10,193 [DEBUG] koji: Opening new requests session
2017-05-11 16:14:10,194 [DEBUG] koji: Opening new requests session
url: https://hub.stevenet.com/kojihub/ssllogin
stream: True
verify: '/home/steve/.koji/serverca.crt'
headers: {'Content-Length': '140', 'Content-Type': 'text/xml', 'User-Agent': 'koji/1.7'}
cert: '/home/steve/.koji/client.crt'
timeout: 60
data: "<?xml version='1.0'?>\n<methodCall>\n<methodName>sslLogin</methodName>\n<params>\n<param>\n<value><nil/></value></param>\n</params>\n</methodCall>\n"
body: "<?xml version='1.0'?>\n<methodResponse>\n<params>\n<param>\n<value><struct>\n<member>\n<name>session-id</name>\n<value><int>18</int></value>\n</member>\n<member>\n<name>session-key</name>\n<value><string>2-iz90jr3jAueqdzcUrSq</string></value>\n</member>\n</struct></value>\n</param>\n</params>\n</methodResponse>\n"
url: https://hub.stevenet.com/kojihub?session-id=18&session-key=2-iz90jr3jAueqdzcUrSq&callnum=0
stream: True
verify: '/home/steve/.koji/serverca.crt'
headers: {'Content-Length': '107', 'Content-Type': 'text/xml', 'User-Agent': 'koji/1.7'}
cert: '/home/steve/.koji/client.crt'
timeout: 43200
data: "<?xml version='1.0'?>\n<methodCall>\n<methodName>getAPIVersion</methodName>\n<params>\n</params>\n</methodCall>\n"
body: "<?xml version='1.0'?>\n<methodResponse>\n<params>\n<param>\n<value><int>1</int></value>\n</param>\n</params>\n</methodResponse>\n"
successfully connected to hub
url: https://hub.stevenet.com/kojihub?session-id=18&session-key=2-iz90jr3jAueqdzcUrSq&callnum=1
stream: True
verify: '/home/steve/.koji/serverca.crt'
headers: {'Content-Length': '152', 'Content-Type': 'text/xml', 'User-Agent': 'koji/1.7'}
cert: '/home/steve/.koji/client.crt'
timeout: 43200
data: "<?xml version='1.0'?>\n<methodCall>\n<methodName>echo</methodName>\n<params>\n<param>\n<value><string>test</string></value>\n</param>\n</params>\n</methodCall>\n"
body: "<?xml version='1.0'?>\n<methodResponse>\n<params>\n<param>\n<value><array><data>\n<value><string>test</string></value>\n</data></array></value>\n</param>\n</params>\n</methodResponse>\n"
['test']
url: https://hub.stevenet.com/kojihub?session-id=18&session-key=2-iz90jr3jAueqdzcUrSq&callnum=2
stream: True
verify: '/home/steve/.koji/serverca.crt'
headers: {'Content-Length': '100', 'Content-Type': 'text/xml', 'User-Agent': 'koji/1.7'}
cert: '/home/steve/.koji/client.crt'
timeout: 43200
data: "<?xml version='1.0'?>\n<methodCall>\n<methodName>logout</methodName>\n<params>\n</params>\n</methodCall>\n"
body: "<?xml version='1.0'?>\n<methodResponse>\n<params>\n<param>\n<value><nil/></value></param>\n</params>\n</methodResponse>\n"

The only difference between the successful run and the failure is the inclusion of the client cert.

I suspect that your http server is requiring a cert for all of /kojihub, not just /kojihub/ssllogin. Check your SSLVerifyClient settings in your httpd config. Our example config looks like

# uncomment this to enable authentication via SSL client certificates
# <Location /kojihub/ssllogin>
#         SSLVerifyClient require
#         SSLVerifyDepth  10
#         SSLOptions +StdEnvVars
# </Location>

Hi Mike,

I had already enabled that. From my kojihub.conf file:

uncomment this to enable authentication via SSL client certificates

<Location /kojihub/ssllogin>
SSLVerifyClient require
SSLVerifyDepth 10
SSLOptions +StdEnvVars
</Location>

Steve

Hi Mike,

I copied and pasted the <Location /kojihub/ssllogin> section from my kojihub.conf file and somehow the browser or the server changed the content in the previous message (deleted # on the comment and removed the tabs). But it is uncommented in the file.

Steve

You might want to have a quick look at the markdown syntax link on the page. Wrapping your pastes in triple backticks is a handy way to handle dumps like these.

Sure you've copied that config, but I wonder if there is any other httpd config you have that might also be requiring a client cert. Can you check? E.g. grep -r SSLVerifyClient /etc/httpd/conf*

Hi Mike,

[root@hub ~]# grep -Hinr SSLVerifyClient /etc/httpd/conf*
/etc/httpd/conf.d/kojihub.conf:53: SSLVerifyClient require
/etc/httpd/conf.d/kojihub.conf:63:# SSLVerifyClient require
/etc/httpd/conf.d/kojiweb.conf:52: SSLVerifyClient require
/etc/httpd/conf.d/ssl.conf:127:SSLVerifyClient require

The only thing running on httpd is the kojihub and kojiweb.

Steve

Ok, now go look at the context for those matches in kojiweb.conf and ssl.conf to see if they are requiring certs for broader set of paths.

I suspect the problem is the entry in ssl.conf. In my local setup, this line is commented (I believe the default). Do you know why it is uncommented in yours? Check the context to see if it is limited to subtree.

Hi Mike,

I commented the two lines out and restarted httpd and it seems to be working. The lines were enabled because https://docs.pagure.org/koji/server_howto/#id5 instructed to enable it.

Will do some more testing and make sure everything is okay.

Thanks for the help, it is greatly appreciated.

@skbrash Looks like your issue has been resolved, Could you help double confirm whether we can close the issue?

I'm closing it for now. If you hit further problems, please reopen it.

Metadata Update from @tkopecek:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

5 years ago

Metadata Update from @tkopecek:
- Issue set to the milestone: 1.13

5 years ago

Login to comment on this ticket.

Metadata