PDA

View Full Version : Error:14094410:SSL when run zypper ref



misaelcun
30-Oct-2017, 23:23
A few week ago, I was able to install msodbcsql-13.1.9.0-1 and unixODBC-devel using this repo https://packages.microsoft.com/config/sles/11/prod.repo in my SUSE Linux Enterprise Server 11 (x86_64) SP3.

Some days ago when I ran zypper ref, I get this:

Retrieving repository 'packages-microsoft-com-prod' metadata [-]
Download (curl) error for 'https://packages.microsoft.com/sles/11/prod/repodata/repomd.xml':
Error code: Unrecognized error
Error message: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

Abort, retry, ignore? [a/r/i/? shows all options] (a):

I am already ran without sucess: rpm --rebuilddb && zypper clean -a && zypper ref

This is the zypper repos result:

# | Alias | Name | Enabled | Refresh
---+---------------------------------------------+---------------------------------------+---------+--------
1 | SLES-for-SAP-Applications 11.3.3-1.17 | SLES-for-SAP-Applications 11.3.3-1.17 | Yes | No
2 | nu_novell_com:SLE11-HAE-SP3-Pool | SLE11-HAE-SP3-Pool | Yes | Yes
3 | nu_novell_com:SLE11-HAE-SP3-Updates | SLE11-HAE-SP3-Updates | Yes | Yes
4 | nu_novell_com:SLE11-SP1-Debuginfo-Pool | SLE11-SP1-Debuginfo-Pool | No | Yes
5 | nu_novell_com:SLE11-SP1-Debuginfo-Updates | SLE11-SP1-Debuginfo-Updates | No | Yes
6 | nu_novell_com:SLE11-SP2-Debuginfo-Core | SLE11-SP2-Debuginfo-Core | No | Yes
7 | nu_novell_com:SLE11-SP2-Debuginfo-Updates | SLE11-SP2-Debuginfo-Updates | No | Yes
8 | nu_novell_com:SLE11-SP2-WebYaST-1.3-Pool | SLE11-SP2-WebYaST-1.3-Pool | Yes | Yes
9 | nu_novell_com:SLE11-SP2-WebYaST-1.3-Updates | SLE11-SP2-WebYaST-1.3-Updates | Yes | Yes
10 | nu_novell_com:SLE11-SP3-Debuginfo-Pool | SLE11-SP3-Debuginfo-Pool | No | Yes
11 | nu_novell_com:SLE11-SP3-Debuginfo-Updates | SLE11-SP3-Debuginfo-Updates | No | Yes
12 | nu_novell_com:SLE11-SP3-SAP-Pool | SLE11-SP3-SAP-Pool | Yes | Yes
13 | nu_novell_com:SLE11-SP3-SAP-Updates | SLE11-SP3-SAP-Updates | Yes | Yes
14 | nu_novell_com:SLE11-Security-Module | SLE11-Security-Module | Yes | Yes
15 | nu_novell_com:SLES11-Extras | SLES11-Extras | No | Yes
16 | nu_novell_com:SLES11-SP1-Pool | SLES11-SP1-Pool | No | Yes
17 | nu_novell_com:SLES11-SP1-Updates | SLES11-SP1-Updates | No | Yes
18 | nu_novell_com:SLES11-SP2-Core | SLES11-SP2-Core | No | Yes
19 | nu_novell_com:SLES11-SP2-Extension-Store | SLES11-SP2-Extension-Store | No | Yes
20 | nu_novell_com:SLES11-SP2-Updates | SLES11-SP2-Updates | No | Yes
21 | nu_novell_com:SLES11-SP3-Extension-Store | SLES11-SP3-Extension-Store | No | Yes
22 | nu_novell_com:SLES11-SP3-Pool | SLES11-SP3-Pool | Yes | Yes
23 | nu_novell_com:SLES11-SP3-Updates | SLES11-SP3-Updates | Yes | Yes
24 | packages-microsoft-com-prod | packages-microsoft-com-prod | Yes | No

Please any advice to fix, thank's in advance.

malcolmlewis
31-Oct-2017, 00:25
Hi
That would be TLS (=> 1.0) and SNI issues AFAIK? Any updates applied after you added the repository?

Maybe an error at their end?

Do you see a failure from;


openssl s_client -connect packages.microsoft.com:443 -tls1 -servername packages.microsoft.com

misaelcun
31-Oct-2017, 02:35
Hi malcolmlewis,

Before to add the microsoft repo, first applied the pending patches, reboot, add the repo then install de unixodbc and mssqlodbc and all the process was flawless.

We just faced with the problem at moment to try to install unixodbc and msodbc in our QAS server, when trying to add the repo gets the message reported:


In our QAS server:
vzisaphqas:~ #
zypper addrepo -fc https://packages.microsoft.com/config/sles/11/prod.repo
Download (curl) error for 'https://packages.microsoft.com/config/sles/11/prod.repo':
Error code: Unrecognized error
Error message: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

Abort, retry, ignore? [a/r/i/? shows all options] (a):

applying your test:

vzisaphqas:~ # openssl s_client -connect packages.microsoft.com:443 -tls1 -servername packages.microsoft.com
CONNECTED(00000003)
20441:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1100:SSL alert number 40
20441:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:536:
vzisaphqas:~ #

The same results in out SBX server were the repo has already configured:

vzisaphsbx:~ # openssl s_client -connect packages.microsoft.com:443 -tls1 -servername packages.microsoft.com
CONNECTED(00000003)
14256:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1100:SSL alert number 40
14256:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:536:
vzisaphsbx:~ #

Also I am using Fedora 26 in my WKS and get the same result when running the openssl test.

Please let me know if you need additional information.

Regards

malcolmlewis
31-Oct-2017, 03:50
Hi
What about changing to tls 1.2?


openssl s_client -connect packages.microsoft.com:443 -tls1_2 -servername packages.microsoft.com


I tested the SLES 12 repo and it's working...

I wonder if something has changed on your network blocking/restricting the traffic?

misaelcun
31-Oct-2017, 04:53
Hi malcolmlewis,

In both servers SBX and QAS when using your instruction I get:

~ # openssl s_client -connect packages.microsoft.com:443 -tls1_2 -servername packages.microsoft.com
unknown option -tls1_2
usage: s_client args

-host host - use -connect instead
-port port - use -connect instead
-connect host:port - who to connect to (default is localhost:4433)
-verify depth - turn on peer certificate verification
-cert arg - certificate file to use, PEM format assumed
-certform arg - certificate format (PEM or DER) PEM default
-key arg - Private key file to use, in cert file if
not specified but cert file is.
-keyform arg - key format (PEM or DER) PEM default
-pass arg - private key file pass phrase source
-CApath arg - PEM format directory of CA's
-CAfile arg - PEM format file of CA's
-reconnect - Drop and re-make the connection with the same Session-ID
-pause - sleep(1) after each read(2) and write(2) system call
-showcerts - show all certificates in the chain
-debug - extra output
-msg - Show protocol messages
-nbio_test - more ssl protocol testing
-state - print the 'ssl' states
-nbio - Run with non-blocking IO
-crlf - convert LF from terminal into CRLF
-quiet - no s_client output
-ign_eof - ignore input eof (default when -quiet)
-no_ign_eof - don't ignore input eof
-ssl2 - just use SSLv2
-ssl3 - just use SSLv3
-tls1 - just use TLSv1
-dtls1 - just use DTLSv1
-fallback_scsv - send TLS_FALLBACK_SCSV
-mtu - set the MTU
-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol
-bugs - Switch on all SSL implementation bug workarounds
-serverpref - Use server's cipher preferences (only SSLv2)
-cipher - preferred cipher to use, use the 'openssl ciphers'
command to see what is available
-starttls prot - use the STARTTLS command before starting TLS
for those protocols that support it, where
'prot' defines which one to assume. Currently,
only "smtp", "pop3", "imap", "ftp" and "xmpp"
are supported.
-engine id - Initialise and use the specified engine
-rand file:file:...
-sess_out arg - file to write SSL session to
-sess_in arg - file to read SSL session from
-servername host - Set TLS extension servername in ClientHello
-tlsextdebug - hex dump of all TLS extensions received
-status - request certificate status from server
-no_ticket - disable use of RFC4507bis session tickets
-legacy_renegotiation - enable use of legacy renegotiation (dangerous)


Sounds like the my Suse Servers does not recognize the 1.2 version?

Now as soon as I get in the office I will review with our Network and Security Team our server configuration and restrictions.

Regards.

misaelcun
31-Oct-2017, 17:05
Hi malcolmlewis,

In both servers SBX and QAS when using your instruction I get:

~ # openssl s_client -connect packages.microsoft.com:443 -tls1_2 -servername packages.microsoft.com
unknown option -tls1_2
usage: s_client args

-host host - use -connect instead
-port port - use -connect instead
-connect host:port - who to connect to (default is localhost:4433)
-verify depth - turn on peer certificate verification
-cert arg - certificate file to use, PEM format assumed
-certform arg - certificate format (PEM or DER) PEM default
-key arg - Private key file to use, in cert file if
not specified but cert file is.
-keyform arg - key format (PEM or DER) PEM default
-pass arg - private key file pass phrase source
-CApath arg - PEM format directory of CA's
-CAfile arg - PEM format file of CA's
-reconnect - Drop and re-make the connection with the same Session-ID
-pause - sleep(1) after each read(2) and write(2) system call
-showcerts - show all certificates in the chain
-debug - extra output
-msg - Show protocol messages
-nbio_test - more ssl protocol testing
-state - print the 'ssl' states
-nbio - Run with non-blocking IO
-crlf - convert LF from terminal into CRLF
-quiet - no s_client output
-ign_eof - ignore input eof (default when -quiet)
-no_ign_eof - don't ignore input eof
-ssl2 - just use SSLv2
-ssl3 - just use SSLv3
-tls1 - just use TLSv1
-dtls1 - just use DTLSv1
-fallback_scsv - send TLS_FALLBACK_SCSV
-mtu - set the MTU
-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol
-bugs - Switch on all SSL implementation bug workarounds
-serverpref - Use server's cipher preferences (only SSLv2)
-cipher - preferred cipher to use, use the 'openssl ciphers'
command to see what is available
-starttls prot - use the STARTTLS command before starting TLS
for those protocols that support it, where
'prot' defines which one to assume. Currently,
only "smtp", "pop3", "imap", "ftp" and "xmpp"
are supported.
-engine id - Initialise and use the specified engine
-rand file:file:...
-sess_out arg - file to write SSL session to
-sess_in arg - file to read SSL session from
-servername host - Set TLS extension servername in ClientHello
-tlsextdebug - hex dump of all TLS extensions received
-status - request certificate status from server
-no_ticket - disable use of RFC4507bis session tickets
-legacy_renegotiation - enable use of legacy renegotiation (dangerous)


Sounds like the my Suse Servers does not recognize the 1.2 version?

Now as soon as I get in the office I will review with our Network and Security Team our server configuration and restrictions.

Regards.

Hi,

I reviewed the Network configuration and connectivity with our Network and Security Team, both server has no restrictions.

Regards.

malcolmlewis
31-Oct-2017, 23:09
On Tue 31 Oct 2017 04:14:02 PM CDT, misaelcun wrote:

misaelcun;40034 Wrote:
> Hi malcolmlewis,
>
> In both servers SBX and QAS when using your instruction I get:
>
> ~ # *openssl s_client -connect packages.microsoft.com:443 -tls1_2
> -servername packages.microsoft.com*
> unknown option -tls1_2
> usage: s_client args
>
> -host host - use -connect instead
> -port port - use -connect instead
> -connect host:port - who to connect to (default is localhost:4433)
> -verify depth - turn on peer certificate verification
> -cert arg - certificate file to use, PEM format assumed
> -certform arg - certificate format (PEM or DER) PEM default
> -key arg - Private key file to use, in cert file if
> not specified but cert file is.
> -keyform arg - key format (PEM or DER) PEM default
> -pass arg - private key file pass phrase source
> -CApath arg - PEM format directory of CA's
> -CAfile arg - PEM format file of CA's
> -reconnect - Drop and re-make the connection with the same
> Session-ID
> -pause - sleep(1) after each read(2) and write(2) system call
> -showcerts - show all certificates in the chain
> -debug - extra output
> -msg - Show protocol messages
> -nbio_test - more ssl protocol testing
> -state - print the 'ssl' states
> -nbio - Run with non-blocking IO
> -crlf - convert LF from terminal into CRLF
> -quiet - no s_client output
> -ign_eof - ignore input eof (default when -quiet)
> -no_ign_eof - don't ignore input eof
> -ssl2 - just use SSLv2
> -ssl3 - just use SSLv3
> -tls1 - just use TLSv1
> -dtls1 - just use DTLSv1
> -fallback_scsv - send TLS_FALLBACK_SCSV
> -mtu - set the MTU
> -no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol
> -bugs - Switch on all SSL implementation bug workarounds
> -serverpref - Use server's cipher preferences (only SSLv2)
> -cipher - preferred cipher to use, use the 'openssl ciphers'
> command to see what is available
> -starttls prot - use the STARTTLS command before starting TLS
> for those protocols that support it, where
> 'prot' defines which one to assume. Currently,
> only "smtp", "pop3", "imap", "ftp" and "xmpp"
> are supported.
> -engine id - Initialise and use the specified engine
> -rand file:file:...
> -sess_out arg - file to write SSL session to
> -sess_in arg - file to read SSL session from
> -servername host - Set TLS extension servername in ClientHello
> -tlsextdebug - hex dump of all TLS extensions received
> -status - request certificate status from server
> -no_ticket - disable use of RFC4507bis session tickets
> -legacy_renegotiation - enable use of legacy renegotiation (dangerous)
>
>
> Sounds like the my Suse Servers does not recognize the 1.2 version?
>
> Now as soon as I get in the office I will review with our Network and
> Security Team our server configuration and restrictions.
>
> Regards.

Hi,

I reviewed the Network configuration and connectivity with our Network
and Security Team, both server has no restrictions.

Regards.




Hi
I would assume it's SLE 11 SP3 openssl and maybe changes on the MS
server (SSL requirements).

I see in your options from the output there is no -tls1_N

On SLE 12 SP3 I see;


-ssl2 - just use SSLv2
-ssl3 - just use SSLv3
-tls1_2 - just use TLSv1.2
-tls1_1 - just use TLSv1.1
-tls1 - just use TLSv1
-dtls1 - just use DTLSv1


Can the system be upgraded?

--
Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
openSUSE Leap 42.2|GNOME 3.20.2|4.4.90-18.32-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below... Thanks!

misaelcun
31-Oct-2017, 23:47
Hi,

After review the SLES 11 SP4 new's I found this note:

3.1 What's New in SUSE Linux Enterprise Server 11 SP4 #

New CPU enablement, such as Intel Xeon processor E7-8800/4800 v3 product family, IBM z13 (z13), and IBM POWER8 BE.

Public Cloud module and Security module are now available for SP4. These modules are independent repository channels and are included in subscription without additional cost:

Public Cloud Module
The Public Cloud Module is a collection of tools that enables you to create and manage cloud images from the command line on SUSE Linux Enterprise Server. When building your own images with KIWI or SUSE Studio, initialization code specific to the target cloud is included in that image. The tools and initialization code in this module will be updated whenever a new version is ready, always giving you the freshest.

Security Module
The Security Module adds support for TLS 1.2 to the applications in the Security Module repository. This allows customers and partners to build TLS-1.2 compliant infrastructures beyond the HTTPS protocol.

Now I planning to apply SP4 in my server, any advice?.

Best regards.

malcolmlewis
01-Nov-2017, 00:28
Hi,

After review the SLES 11 SP4 new's I found this note:

3.1 What's New in SUSE Linux Enterprise Server 11 SP4 #

New CPU enablement, such as Intel Xeon processor E7-8800/4800 v3 product family, IBM z13™ (z13), and IBM POWER8 BE.

Public Cloud module and Security module are now available for SP4. These modules are independent repository channels and are included in subscription without additional cost:

Public Cloud Module
The Public Cloud Module is a collection of tools that enables you to create and manage cloud images from the command line on SUSE Linux Enterprise Server. When building your own images with KIWI or SUSE Studio, initialization code specific to the target cloud is included in that image. The tools and initialization code in this module will be updated whenever a new version is ready, always giving you the freshest.

Security Module
The Security Module adds support for TLS 1.2 to the applications in the Security Module repository. This allows customers and partners to build TLS-1.2 compliant infrastructures beyond the HTTPS protocol.

Now I planning to apply SP4 in my server, any advice?.

Best regards.
Hi
Create a backup, and test ;)

Have a look at the release notes: https://www.suse.com/releasenotes/x86_64/SUSE-SLES/11-SP4/

There are a few notes about wget etc for TLS 1.2.

Perhaps look at using YaST Wagon for the upgrade?

misaelcun
01-Nov-2017, 19:58
Hi,

Well, I download SLES for SAP 11 SP4 trial from suse.com, register and apply the latest patches.

As soon as I try to add repo I get:

Error code: Unrecognized error
Error message: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Also I follow the advice from (https://www.suse.com/releasenotes/x86_64/SUSE-SLES/11-SP4/#Features.Security) to install curl_openssl1 and wget_openssl1 without sucess.

Now what I would do is to download the unixODBC and msodc* packages and install manually.

Any workaround?.

Regards

malcolmlewis
01-Nov-2017, 23:19
On Wed 01 Nov 2017 07:04:02 PM CDT, misaelcun wrote:

Hi,

Well, I download SLES for SAP 11 SP4 trial from suse.com, register and
apply the latest patches.

As soon as I try to add repo I get:

Error code: Unrecognized error
Error message: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
alert handshake failure

Also I follow the advice from
(https://www.suse.com/releasenotes/x86_64/SUSE-SLES/11-SP4/#Features.Security)
to install curl_openssl1 and wget_openssl1 without sucess.

Now what I would do is to download the unixODBC and msodc* packages and
install manually.

Any workaround?.

Regards




Hi
So can you download and access the files via the SLE 11 SP4 browser?

Maybe it's something at the Microsoft end that's changed?

--
Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
openSUSE Leap 42.2|GNOME 3.20.2|4.4.90-18.32-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below... Thanks!

misaelcun
01-Nov-2017, 23:43
Hi,

Yes, I can navigate using Firefox and view the files, it is very weird.

Let me elaborate a little bit: Now I am using a VBox VM with SLES 11 SP4, fully registered and patched to test.

If I connect using the celular network not our corporate network the zypper ar works like a charm in the other side when using out corporate network the command fails, we are using Fortinet appliances, but everything is "open" in the Fortinet, the server runs free.

Please, could you provide to me, some other test to validate the server connectivity?

Regards.

malcolmlewis
02-Nov-2017, 00:04
On Wed 01 Nov 2017 10:44:02 PM CDT, misaelcun wrote:

Hi,

Yes, I can navigate using Firefox and view the files, it is very weird.

Let me elaborate a little bit: Now I am using a VBox VM with SLES 11
SP4, fully registered and patched to test.

If I connect using the celular network not our corporate network the
zypper ar works like a charm in the other side when using out corporate
network the command fails, we are using Fortinet appliances, but
everything is "open" in the Fortinet, the server runs free.

Please, could you provide to me, some other test to validate the server
connectivity?

Regards.




Hi
So you can view and also download manually ok?

Run wireshark or tcpdump, then run openssl comand with TLS 1.2 command
in another window and look at what's happening over both connection
methods.

So I'm guessing the Fortinet devices firmware is all ok/up to date and
not silently dropping something?

--
Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
openSUSE Leap 42.2|GNOME 3.20.2|4.4.90-18.32-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below... Thanks!

misaelcun
08-Nov-2017, 03:17
Hi again,

Since my last post, I made some test in this environments:

In one Suse Server 11 SP4 fully patched(vbox vm for test) and OpenSuSE Leap 42.3 (vbox vm for test), my Prod. Server is SLES for SAP SP3.

In Suse Server 11 SP4 after apply the curl-openssl1 and wget-openssl1 (https://www.suse.com/documentation/suse-best-practices/singlehtml/securitymodule/securitymodule.html), I get this openssl version:

OpenSSL 0.9.8j-fips 07 jan 2009

When trying to add the repo fails with same error message reported in this forum.

In my OpenSuse Leap 42.3 VM I got this version:

OpenSSL 1.0.2j-fips 26 sep 2016

In OpenSuse I can add the repo with sucess!!!, that means my problem with Prod. Suse Server is the openssl version.

Do you know how can I install latest openssl version in SLES for SAP 11 SP3 or SLES for SAP 11 SP4, any workaound? the curl-openssl1 and wget-openssl1 does not work in SLES 11 SP3 and SP4.

I am not able to upgrade to SLES for SAP 12.

Best Regards.

jmozdzen
14-Nov-2017, 16:10
Hi,

> Do you know how can I install latest openssl version in SLES for SAP 11 SP3 or SLES for SAP 11 SP4, any workaound?

As I understand you post, you were able to install curl-openssl1 and wget-openssl1 on the SLES11SP4 machine, but zypper still reports the error.

Have you selected the new curl.openssl1 to be the system-wide default, as per https://www.suse.com/documentation/suse-best-practices/singlehtml/securitymodule/securitymodule.html#sec.curlwget ?

Regards,
J

misaelcun
14-Nov-2017, 16:28
Hi jmozdzen,

Yes, I followed the instructions using the update-alternatives, but still the problem persists.

Best Regards.