Bug 132515

Summary: SLES9 curl and YOU with https proxy
Product: [openSUSE] openSUSE.org Reporter: Rosemary McKee <rosemary.mckee>
Component: WikiAssignee: Harald Mueller-Ney <hmuelle>
Status: RESOLVED FIXED QA Contact: Adrian Schröter <adrian.schroeter>
Severity: Normal    
Priority: P5 - None CC: forgotten_C_YDIIfXhm, mlasars
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 133243    

Description Rosemary McKee 2005-11-07 06:56:08 UTC 
_11-Your_Name: Frank Hornung
_12-Email: frank.hornung@stihl.de 
_13-Number: 00497151263044
_14-Company_Name: Andreas Stihl AG & CO. KG
_15-Company_Address: Badstrasse 115, 71336 Waiblingen
_20-Product: Suse Linux Enterprise Server 9
_21-Defect: the combination of yast-onlineupdate and curl do 
not work with a https-proxy (e.g MS-ISA).
There seem to be two problems:
1. 
curl has in SLES 9 Version curl-7.11.0-39.9 a bug 
in the proxy-authentification code curl-Bug: 
1188280 (http://curl.haxx.se/mail/tracker-2005-
05/0006.html) This problem seems fixed in actual 
stable version of curl: curl-7.15.0.
(I verified this on the command line. First i 
started SLES9 curl and got a message from the 
proxy, that authentification is required. Second 
i started the actual version of curl 7.15.0 with 
the same commandline and there were no errors 
from the proxy)

2. Yast-Onlineupdate seems to call curl wrong in 
case a https site is called. Because no proxy-
authentification credentials are used. (Even if i 
link the new curl-version so that yast uses it).

please supply new yast2 and curl packages which 
do not suffer from this problem.
_22-Other_Product: none
_23-Steps: 1. Install SLES 9 SP2 + all patches available
2. Install https-enablement patch from novell/suse
3. Setup ISA-Proxy-Server and configure Proxy in Yast Proxy-Module
4. Try to use online-update using the ISA Proxy-Server, select https://you.novell.com/update as Download-Target.
5. You will get error message something like:
HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to  fulfill the request. Access to t he Web Proxy service is denied. )..

6. You will see in tcpdump/ethereal that no proxy-authorization string has been sent from yast/curl

7. Try launching curl on the command line 
curl --anyauth -U proxy-user:password https://you.novell.com/update 
which fails with the same error ( and the same behaviour when sniffed with ethereal)

8. Compile actual stable-version of curl (7.15)
Try the same commandline which now works

9. Remove the curl-libaries and replace them with the new compiled ones (which is a dirty hack).

10. Start yast-onlineupdate and see, that yast still doesnt supply proxy-authentification infos to curl
_24-Other_Scenarios: Didn't try others
_25-Environment_Description: environment variables for http_proxy, https_proxy 
have been set with yast2 proxy module
...
see above
_26-Reported: Production
_27-Testing_Environment: Didn't try that
_28-Fix: a new curl version is needed e.g 7.15 but there seems to be a problem with yast2 either
_22-Additional: Contact me if you need further information.
I can reproduce the problem and supply infos to 
you.

This is only a problem for me, because as far as 
i know sdb.suse.de and sdb2.suse.de will be shut 
down in January and i then need to update against 
https://you.novell.com/update 
_29-Patch: SP2
Comment 1 Martin Lasarsch 2005-11-07 10:48:32 UTC 
Michal: is there maybe a patch already included in SP3?
Comment 2 Michal Marek 2005-11-07 12:02:41 UTC 
The Yast-Onlineupdate thing seems to be related to Bug #95647.
Comment 3 Michal Marek 2005-11-07 14:37:41 UTC 
Regardig the curl bug: No, there is no such patch in SP3. I can backport
the CONNECT handling from a newer version, but I don't know how to test
it (I have no ISA server here).
Comment 5 Harald Mueller-Ney 2005-11-10 12:16:23 UTC 
Problem is solved by Maintenance Update

external reference: patch-10560 - YOU update for yast2-packagemanager
internal reference: 13e5d1d6b9c686fa1b43e61994eb1f62

Support contacted customer and has verified that the problems is solved.
I will close this bug resolved fix and create an new one for next SLES cause there might be still an issue with curl, proxy, https, which should be solved with next SLES.
Comment 6 Harald Mueller-Ney 2005-11-10 12:17:10 UTC 
Resolved fixed now, after removing dependency for 120960 (SLES9)
Comment 7 Harald Mueller-Ney 2005-11-10 12:17:24 UTC 
Resolved fixed now, after removing dependency for 120960 (SLES9)
Comment 8 Forgotten User C_YDIIfXhm 2005-11-10 13:02:08 UTC 
It seems that the YOU update for yast2-packagemanager fixed the problem.

I tested a lot on my machine with new curl-versions and libaries...and then tried to revert all my changes. (reinstalled the rpm-packages from SLES)
Because of that i would have liked to verify the problem with a fresh sles installation.
But i have no possibility to do that in the moment.
Comment 9 Harald Mueller-Ney 2005-11-10 14:36:12 UTC 
I expect it also fixed, even so I have not possiblity to test with MS ISA as proxy server.
We tested against SQUID, SQUID also need "CONNECT" for https sessions at least the SLES9 version.
Comment 10 Forgotten User C_YDIIfXhm 2005-11-10 14:46:50 UTC 
I am not an expert on proxies and CONNECT - Requests.
But i can tell you what i saw in etheral when the problem occured and now, after the update suse provided.

Before the update i saw a CONNECT Request from Yast to the ISA-Proxy.
The ISA Proxy then complained about missing authentification data and closed the connection.

After the https fix was installed there is no error Message from the proxy any more and Yast Online-update shows the list of available patches.

i suppose that the problem ist fixed because it now works with squid at your site and it works at our site with ISA-Server.

I just wanted to tell you with my last post that i am not 100 percent sure if i scrambled my system during the tests i did to verify the problem...
so the best would be to do a fresh install and test it once again with a ISA server... just a recommendation of mine.