releng

Clone

#6054 fedpkg build broken after crypto-policies update to disable SSL3
Closed: Fixed None Opened 9 years ago by amigadave.

Closed: Fixed
Reopen Issue

I came across this today, after updating crypto-policies in Rawhide:

fedpkg -v build
Creating repo object from /home/david/checkout/rpms/gnome-logs
Could not read /home/david/.koji/config for config values
Initiating a koji session to http://koji.fedoraproject.org/kojihub
Could not execute build: [('SSL routines', 'SSL3_CLIENT_HELLO', 'no ciphers available')]
Traceback (most recent call last):
  File "/usr/bin/fedpkg", line 16, in <module>
    main()
  File "/usr/lib/python2.7/site-packages/fedpkg/__main__.py", line 68, in main
    sys.exit(client.args.command())
  File "/usr/lib/python2.7/site-packages/pyrpkg/cli.py", line 938, in build
    sets, nvr_check)
  File "/usr/lib/python2.7/site-packages/pyrpkg/__init__.py", line 1717, in build
    build_target = self.kojisession.getBuildTarget(self.target)
  File "/usr/lib/python2.7/site-packages/pyrpkg/__init__.py", line 396, in kojisession
    self.load_kojisession()
  File "/usr/lib/python2.7/site-packages/pyrpkg/__init__.py", line 248, in load_kojisession
    defaults['serverca'])
  File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 1729, in ssl_login
    sinfo = self.callMethod('sslLogin', proxyuser)
  File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 1778, in callMethod
    return self._callMethod(name, args, opts)
  File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 1898, in _callMethod
    return self._sendCall(handler, headers, request)
  File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 1809, in _sendCall
    return self._sendOneCall(handler, headers, request)
  File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 1827, in _sendOneCall
    cnx.endheaders()
  File "/usr/lib64/python2.7/httplib.py", line 991, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python2.7/httplib.py", line 844, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.7/httplib.py", line 820, in send
    self.sock.sendall(data)
  File "/usr/lib/python2.7/site-packages/koji/ssl/SSLConnection.py", line 108, in sendall
    sent = con.send(data, flags)
OpenSSL.SSL.Error: [('SSL routines', 'SSL3_CLIENT_HELLO', 'no ciphers available')]

I was advised to file it as a releng ticket by pingou on #fedora-devel. It seems like this change is only on the master branch of crypto-policies, not f21:

http://pkgs.fedoraproject.org/cgit/crypto-policies.git/commit/?id=9e4e7ddc76b3f22db8fd4a15eba9ed4140a831fa

I'd suggest filing a bug (in bugzilla)

koji currently hard codes SSLv3 use.

See:
https://bugzilla.redhat.com/show_bug.cgi?id=1152823

So, short term:

  • There should be a way to override crypto-policys to allow this. If we find such a way we should document it, or at least notify rawhide users in devel list. ;)

  • We should push out the change to switch it to TLS.

I don't think there's anything releng can do here...

Metadata Update from @amigadave:
- Issue set to the milestone: Fedora 21 Final
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
None
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.