Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix for vault.centos.org now forces https TLS 1.3 #1

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Fix for vault.centos.org now forces https TLS 1.3 #1

wants to merge 2 commits into from

Conversation

markovanderpuil
Copy link

Since vault.centos.org forces https over tlsv1.3 which centos 511 doesn't support, use a pure http mirror that does not (yet) force https.

Marko van der Puil added 2 commits April 9, 2021 02:27
Added epel repo. Since vault.centos.org forces https over tlsv3 which…
a58761f 
… centos 511 doesn't support, use a pure http mirror that does not (yet) force https.
Vault.centos.org forces https over tlsv3 which centos 511 doesn't sup…
f61fadd 
…port. Uses a pure http mirror that does not (yet) force https.
@astj
Copy link
Owner

astj commented Apr 9, 2021

Hi, thank you for sending patch.

Since vault.centos.org forces https over tlsv1.3 which centos 511 doesn't support

As far as I confirmed, currently it seems that CentOS 5.11 can access https://vault.centos.org, both via curl or via yum.
Can you reproduce the problem?

[astj@jumpin02 ~]$ docker run --rm -it astj/centos5-vault bash
[root@f91230b374ac /]# yum check-update
Loaded plugins: fastestmirror
Determining fastest mirrors
base                                                                                                                                                                                                   | 1.1 kB     00:00
base/primary                                                                                                                                                                                           | 1.3 MB     00:01
base                                                                                                                                                                                                                3667/3667
extras                                                                                                                                                                                                 | 2.1 kB     00:00
extras/primary_db                                                                                                                                                                                      | 173 kB     00:00
libselinux                                                                                                                                                                                             | 1.9 kB     00:00
libselinux/primary_db                                                                                                                                                                                  | 128 kB     00:00
updates                                                                                                                                                                                                | 1.9 kB     00:00
updates/primary_db                                                                                                                                                                                     | 1.0 MB     00:01
Reducing CentOS-5 - libselinux to included packages only
Finished

bash.x86_64                                                                                                   3.2-33.el5_11.4                                                                                          updates
bind-libs.x86_64                                                                                              30:9.3.6-25.P1.el5_11.12                                                                                 updates
bind-utils.x86_64                                                                                             30:9.3.6-25.P1.el5_11.12                                                                                 updates
device-mapper.x86_64                                                                                          1.02.67-2.el5_11.1                                                                                       updates
device-mapper-event.x86_64                                                                                    1.02.67-2.el5_11.1                                                                                       updates
device-mapper-multipath.x86_64                                                                                0.4.7-64.el5_11                                                                                          updates
glibc.x86_64                                                                                                  2.5-123.el5_11.3                                                                                         updates
glibc-common.x86_64                                                                                           2.5-123.el5_11.3                                                                                         updates
kpartx.x86_64                                                                                                 0.4.7-64.el5_11                                                                                          updates
krb5-libs.x86_64                                                                                              1.6.1-80.el5_11                                                                                          updates
libxml2.x86_64                                                                                                2.6.26-2.1.25.el5_11                                                                                     updates
nspr.x86_64                                                                                                   4.11.0-1.el5_11                                                                                          updates
nss.x86_64                                                                                                    3.21.3-2.el5_11                                                                                          updates
openldap.x86_64                                                                                               2.3.43-29.el5_11                                                                                         updates
openssl.x86_64                                                                                                0.9.8e-40.el5_11                                                                                         updates
pam.x86_64                                                                                                    0.99.6.2-14.el5_11                                                                                       updates
popt.x86_64                                                                                                   1.10.2.3-36.el5_11                                                                                       updates
rpm.x86_64                                                                                                    4.4.2.3-36.el5_11                                                                                        updates
rpm-libs.x86_64                                                                                               4.4.2.3-36.el5_11                                                                                        updates
rpm-python.x86_64                                                                                             4.4.2.3-36.el5_11                                                                                        updates
tzdata.x86_64                                                                                                 2017b-1.el5                                                                                              updates
udev.x86_64                                                                                                   095-14.33.el5_11                                                                                         updates
[root@f91230b374ac /]# yum install --quiet curl

==============================================================================================================================================================================================================================
 Package                                                   Arch                                         Version                                                        Repository                                        Size
==============================================================================================================================================================================================================================
Installing:
 curl                                                      i386                                         7.15.5-17.el5_9                                                base                                             235 k
 curl                                                      x86_64                                       7.15.5-17.el5_9                                                base                                             232 k
Installing for dependencies:
 device-mapper                                             i386                                         1.02.67-2.el5_11.1                                             updates                                          804 k
 e2fsprogs-libs                                            i386                                         1.39-37.el5                                                    base                                             120 k
 glibc                                                     i686                                         2.5-123.el5_11.3                                               updates                                          5.4 M
 keyutils-libs                                             i386                                         1.2-1.el5                                                      base                                              18 k
 krb5-libs                                                 i386                                         1.6.1-80.el5_11                                                updates                                          670 k
 libidn                                                    i386                                         0.6.5-1.1                                                      base                                             194 k
 libidn                                                    x86_64                                       0.6.5-1.1                                                      base                                             195 k
 libselinux                                                i386                                         1.33.4-5.7.el5.centos                                          libselinux                                        77 k
 libsepol                                                  i386                                         1.15.2-3.el5                                                   base                                             128 k
 openssl                                                   i686                                         0.9.8e-40.el5_11                                               updates                                          1.7 M
 zlib                                                      i386                                         1.2.3-7.el5                                                    base                                              51 k
Updating for dependencies:
 device-mapper                                             x86_64                                       1.02.67-2.el5_11.1                                             updates                                          832 k
 device-mapper-event                                       x86_64                                       1.02.67-2.el5_11.1                                             updates                                           24 k
 glibc                                                     x86_64                                       2.5-123.el5_11.3                                               updates                                          4.8 M
 glibc-common                                              x86_64                                       2.5-123.el5_11.3                                               updates                                           17 M
 krb5-libs                                                 x86_64                                       1.6.1-80.el5_11                                                updates                                          683 k
 openssl                                                   x86_64                                       0.9.8e-40.el5_11                                               updates                                          1.7 M

Transaction Summary
==============================================================================================================================================================================================================================
Install      13 Package(s)
Upgrade       6 Package(s)

Is this ok [y/N]: y
warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID e8562897
Importing GPG key 0xE8562897 "CentOS-5 Key (CentOS 5 Official Signing Key) <[email protected]>" from /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
Is this ok [y/N]: y
warning: /etc/pki/tls/certs/ca-bundle.crt created as /etc/pki/tls/certs/ca-bundle.crt.rpmnew
[root@f91230b374ac /]# curl -v -I https://vault.centos.org/
* About to connect() to vault.centos.org port 443
*   Trying 54.186.51.210... connected
* Connected to vault.centos.org (54.186.51.210) port 443
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
SSLv3, TLS handshake, Server hello (2):
SSLv3, TLS handshake, CERT (11):
SSLv3, TLS handshake, Server key exchange (12):
SSLv3, TLS handshake, Server finished (14):
SSLv3, TLS handshake, Client key exchange (16):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
* 	 subject: /CN=vault.centos.org
* 	 start date: 2021-03-09 13:27:16 GMT
* 	 expire date: 2021-06-07 13:27:16 GMT
* 	 subjectAltName: vault.centos.org matched
* 	 issuer: /C=US/O=Let's Encrypt/CN=R3
* SSL certificate verify ok.
> HEAD / HTTP/1.1
> User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
> Host: vault.centos.org
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Fri, 09 Apr 2021 05:14:51 GMT
Date: Fri, 09 Apr 2021 05:14:51 GMT
< Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
< Strict-Transport-Security: max-age=31536000
Strict-Transport-Security: max-age=31536000
< X-Xss-Protection: 1; mode=block
X-Xss-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
< Referrer-Policy: same-origin
Referrer-Policy: same-origin
< X-Frame-Options: SAMEORIGIN
X-Frame-Options: SAMEORIGIN
< Content-Type: text/html;charset=ISO-8859-1
Content-Type: text/html;charset=ISO-8859-1

* Connection #0 to host vault.centos.org left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
[root@f91230b374ac /]#

astj
astj reviewed Apr 9, 2021
View reviewed changes
yum.repos.d/epel.repo
baseurl=http://mirrors.kernel.org/fedora-buffet/archive/epel/5/$basearch
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-5&arch=$basearch
failovermethod=priority
enabled=1
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Enabling epel repo make this Docker image behaving differently than original centos:5.11, so I cannot accept this repo file as is.
At least we should disable this repo by default, to keep original behavior.

Suggested change
enabled=1
enabled=0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@astj astj astj left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@markovanderpuil @astj