Bugzilla – Bug 132515
SLES9 curl and YOU with https proxy
Last modified: 2005-11-10 14:46:50 UTC
_11-Your_Name: Frank Hornung _12-Email: frank.hornung@stihl.de _13-Number: 00497151263044 _14-Company_Name: Andreas Stihl AG & CO. KG _15-Company_Address: Badstrasse 115, 71336 Waiblingen _20-Product: Suse Linux Enterprise Server 9 _21-Defect: the combination of yast-onlineupdate and curl do not work with a https-proxy (e.g MS-ISA). There seem to be two problems: 1. curl has in SLES 9 Version curl-7.11.0-39.9 a bug in the proxy-authentification code curl-Bug: 1188280 (http://curl.haxx.se/mail/tracker-2005- 05/0006.html) This problem seems fixed in actual stable version of curl: curl-7.15.0. (I verified this on the command line. First i started SLES9 curl and got a message from the proxy, that authentification is required. Second i started the actual version of curl 7.15.0 with the same commandline and there were no errors from the proxy) 2. Yast-Onlineupdate seems to call curl wrong in case a https site is called. Because no proxy- authentification credentials are used. (Even if i link the new curl-version so that yast uses it). please supply new yast2 and curl packages which do not suffer from this problem. _22-Other_Product: none _23-Steps: 1. Install SLES 9 SP2 + all patches available 2. Install https-enablement patch from novell/suse 3. Setup ISA-Proxy-Server and configure Proxy in Yast Proxy-Module 4. Try to use online-update using the ISA Proxy-Server, select https://you.novell.com/update as Download-Target. 5. You will get error message something like: HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to t he Web Proxy service is denied. ).. 6. You will see in tcpdump/ethereal that no proxy-authorization string has been sent from yast/curl 7. Try launching curl on the command line curl --anyauth -U proxy-user:password https://you.novell.com/update which fails with the same error ( and the same behaviour when sniffed with ethereal) 8. Compile actual stable-version of curl (7.15) Try the same commandline which now works 9. Remove the curl-libaries and replace them with the new compiled ones (which is a dirty hack). 10. Start yast-onlineupdate and see, that yast still doesnt supply proxy-authentification infos to curl _24-Other_Scenarios: Didn't try others _25-Environment_Description: environment variables for http_proxy, https_proxy have been set with yast2 proxy module ... see above _26-Reported: Production _27-Testing_Environment: Didn't try that _28-Fix: a new curl version is needed e.g 7.15 but there seems to be a problem with yast2 either _22-Additional: Contact me if you need further information. I can reproduce the problem and supply infos to you. This is only a problem for me, because as far as i know sdb.suse.de and sdb2.suse.de will be shut down in January and i then need to update against https://you.novell.com/update _29-Patch: SP2
Michal: is there maybe a patch already included in SP3?
The Yast-Onlineupdate thing seems to be related to Bug #95647.
Regardig the curl bug: No, there is no such patch in SP3. I can backport the CONNECT handling from a newer version, but I don't know how to test it (I have no ISA server here).
Problem is solved by Maintenance Update external reference: patch-10560 - YOU update for yast2-packagemanager internal reference: 13e5d1d6b9c686fa1b43e61994eb1f62 Support contacted customer and has verified that the problems is solved. I will close this bug resolved fix and create an new one for next SLES cause there might be still an issue with curl, proxy, https, which should be solved with next SLES.
Resolved fixed now, after removing dependency for 120960 (SLES9)
It seems that the YOU update for yast2-packagemanager fixed the problem. I tested a lot on my machine with new curl-versions and libaries...and then tried to revert all my changes. (reinstalled the rpm-packages from SLES) Because of that i would have liked to verify the problem with a fresh sles installation. But i have no possibility to do that in the moment.
I expect it also fixed, even so I have not possiblity to test with MS ISA as proxy server. We tested against SQUID, SQUID also need "CONNECT" for https sessions at least the SLES9 version.
I am not an expert on proxies and CONNECT - Requests. But i can tell you what i saw in etheral when the problem occured and now, after the update suse provided. Before the update i saw a CONNECT Request from Yast to the ISA-Proxy. The ISA Proxy then complained about missing authentification data and closed the connection. After the https fix was installed there is no error Message from the proxy any more and Yast Online-update shows the list of available patches. i suppose that the problem ist fixed because it now works with squid at your site and it works at our site with ISA-Server. I just wanted to tell you with my last post that i am not 100 percent sure if i scrambled my system during the tests i did to verify the problem... so the best would be to do a fresh install and test it once again with a ISA server... just a recommendation of mine.