[CentOS-devel] Centos 8 TLS libs & tools - then Squid proxy Centos 7

Wed Feb 12 15:04:26 UTC 2020
Orion Poplawski <orion at nwra.com>

On 2/12/20 4:15 AM, lejeczek via CentOS-devel wrote:
> On 12/02/2020 10:46, lejeczek via CentOS-devel wrote:
>> hi devel guys,
>>
>> I thought I'd ask here directly for it begins to worry me a bit. What's
>> that? Well.. it's a freshly set up Centos8 box which has no direct way
>> out but via Squid proxy(Centos7 squid-3.5.20-12.el7_6.1.x86_64) and it
>> seems that lots of things do not want to work, eg.:
>>
>> $ podman search centos
>> ERRO[0000] error searching registry "registry.fedoraproject.org":
>> couldn't search registry "registry.fedoraproject.org": error pinging
>> docker registry registry.fedoraproject.org: Get
>> https://registry.fedoraproject.org/v2/: proxyconnect tcp: tls: first
>> record does not look like a TLS handshake
>> ERRO[0000] error searching registry "docker.io": couldn't search
>> registry "docker.io": error pinging docker registry index.docker.io: Get
>> https://index.docker.io/v2/: proxyconnect tcp: tls: first record does
>> not look like a TLS handshake
>> ERRO[0000] error searching registry "registry.access.redhat.com":
>> couldn't search registry "registry.access.redhat.com": error pinging
>> docker registry registry.access.redhat.com: Get
>> https://registry.access.redhat.com/v2/: proxyconnect tcp: tls: first
>> record does not look like a TLS handshake
>> ERRO[0000] error searching registry "registry.centos.org": couldn't
>> search registry "registry.centos.org": error pinging docker registry
>> registry.centos.org: Get https://registry.centos.org/v2/: proxyconnect
>> tcp: tls: first record does not look like a TLS handshake
>>
>> Another example is R from EPEL, installing any package/library in R also
>> fails in similar way and at Squid's end I get lots of:
>>
>> ...
>>
>> 1581503634.209      1 10.5.8.17 TAG_NONE/400 4300
>> %1F%8Dl%E4%C9z%CFD$%ED%87%EF%A9%F4%F7%05%E7%9Cja%E8%23Y%B5%A5%EBb%7BT%8F%B4
>> - HIER_NONE/- text/html
>> 1581503634.211      1 10.5.8.17 TAG_NONE/400 4315 NONE
>> error:invalid-request - HIER_NONE/- text/html
>> 1581503634.211      0 10.5.8.17 TAG_NONE/400 4120  &%AFi%BB%1A%AD%03%9C
>> - HIER_NONE/- text/html
>> 1581503634.211      0 10.5.8.17 TAG_NONE/400 4270
>> T%88vH5%BAw%EE%FB%1F9%DE%D5%B9%90%C7%05?%F1%D6%22%E3%5B%8F%7F%7C%E6 -
>> HIER_NONE/- text/html
>> 1581503634.212      0 10.5.8.17 TAG_NONE/400 4300
>> %85S%80%BAKh%8E%AB+%90%D4%8Ad%F0%B4%EB%C1or%5E%BEY%800+%F8%98%AF%04!%97%F0
>> - HIER_NONE/- text/html
>> 1581503634.212      0 10.5.8.17 TAG_NONE/400 4192
>> %DA%E6%9E3%DB%9AP%E0q%A3%89c%BBeO%C2%A5%0F - HIER_NONE/- text/html
>> 1581503634.213      0 10.5.8.17 TAG_NONE/400 4074  %1Ej%8D%17 -
>> HIER_NONE/- text/html
>> 1581503634.213      0 10.5.8.17 TAG_NONE/400 4564 NONE
>> error:invalid-request - HIER_NONE/- text/html
>> 1581503663.358    529 10.8.9.208 TCP_TUNNEL/200 4442 CONNECT
>> v10.events.data.microsoft.com:443 - HIER_DIRECT/52.114.128.10 -
>> 1581503708.562      1 10.5.8.17 TAG_NONE/400 4300
>> %EF%1E%F9%10:%9E%CE(%85%F4%CD%DEc%809%0EnU%BD%E3%9F@%14%8C%FF!%03%7C?*%B5l
>> - HIER_NONE/- text/html
>> 1581503708.563      1 10.5.8.17 TAG_NONE/400 4315 NONE
>> error:invalid-request - HIER_NONE/- text/html
>> 1581503708.564      0 10.5.8.17 TAG_NONE/400 4315
>> %9D%7D%17.%D0%F4%B2%C9%B6V%8E%B5%BB%10X%AF%F1%E3g%3C%14%90%C2%F7%AF%E6P%19%1D6%98%C1%DB
>> - HIER_NONE/- text/html
>> 1581503708.564      0 10.5.8.17 TAG_NONE/400 4242
>> -N%08,%3E.%93%F87l%0F%7F%89G%0E%1C%A0%A7%90%DF%8A+%D9%E4c - HIER_NONE/-
>> text/html
>> 1581503708.565      1 10.5.8.17 TAG_NONE/400 4315
>> %D1f%E3%891%EA%86%07%07%B7%EEu%BF%83F%AD%E4%A2%FB7%CE%ACw%1Cf*%E2%FD%BD%9A%5E%07
>> - HIER_NONE/- text/html
>> 1581503708.565      0 10.5.8.17 TAG_NONE/400 4315 NONE
>> error:invalid-request - HIER_NONE/- text/html
>> 1581503708.565      0 10.5.8.17 TAG_NONE/400 4280
>> %A3%13%EE%D9%5CIfKzS%F39x%AB%CE%F8%D0A%D7Y%8A4%C17%FC%9A%B9%98%87%CBz -
>> HIER_NONE/- text/html
>> 1581503708.566      0 10.5.8.17 TAG_NONE/400 4174
>> %C1;%A4q%8E%81%E6%CE%E1%DC%81N%1D%F0 - HIER_NONE/- text/html
>>
>> Everything else seems to work fine, a small group of Centoses 7 use that
>> Squid just fine, Windows boxes too.
>>
>> Would you share any thoughts as to what might be going on there?
>>
>> many thanks, L.
> 
> What is different - before I could ever dig that up you can probably
> tell already - in our Centos8 that makes "stuff" fail?
> 
> Here "stuff" fails:
> 
>    export https_proxy="https:${_proxy}"
>    export HTTPS_PROXY="https:${_proxy}"
> 
> but this works:
> 
>    export https_proxy="http:${_proxy}"
>    export HTTPS_PROXY="http:${_proxy}"
> 
> and, what fails in Centos8 (still)works in Centos7.

First, as others have noted, make sure that if your are using https: to 
connect to your proxy that that is in fact supported - most are not 
configured that way.

However, I just fixed an issue with podman not working with our local 
SSL proxy (e2guardian) because podman restricts ciphers to ECDHE and the 
proxy did not support those ciphers.  On EL7 w/ openssl 1.0.2, servers 
must explicitly enable ECDH(E) support which was not being done.


-- 
Orion Poplawski
Manager of NWRA Technical Systems          720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                 https://www.nwra.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3799 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20200212/ca7738bf/attachment-0007.p7s>