Updated Curl - YUM no longer works

[linuxCurling]

Hello, I am having a bit of trouble. I've done a lot of searching around and could use a bit of assistance. I am using Red Hat 7.5 (which should be equivalent to Cent OS - which is why I figured I would post here). I am on a remote machine (do not have access to physical PC) and I am tasked with installing software and setting up the machine. However, the get xRDP to work I need EPEL. I had issues installing EPEL and was adviced from other searched to update curl. However, I finally managed to install EPEL without updating CURL and then subsequently updated curl for good measure and then YUM stopped working. The steps I've performed are as follows:

1. sudo yum -y install libx11-dev libxfixes-dev libssl-dev libpam0g-dev libtool libjpeg-dev flex bison gettext autoconf libxml-parser-perl libfuse-dev xsltproc libxrandr-dev python-libxml2 nasm xserver-xorg-dev fuse
2. sudo yum-config-manager --enable extras
3. Use the following commands to add city-fan repository:
a. sudo vi /etc/yum.repos.d/city-fan.repo
b. Paste the following contents:
[CityFan]
name=City Fan Repo
baseurl=http://www.city-fan.org/ftp/contrib/yum ... $basearch/
enabled=1
gpgcheck=0
c. Saved the file (shift-z-z)
d. yum clean all
4. sudo yum install https://dl.fedoraproject.org/pub/epel/e ... noarch.rpm
5. sudo yum clean all
6. sudo yum update curl
7. sudo yum -y install xrdp tigervnc-server


Step 7 fails and now I can no longer use YUM to install packages as I get the following error:

[Errno 14] curl#35 - "SSL received a record that exceeded the maximum permissible length."

This happens on almost every address I try manually with curl (and with tsl1.0,1.1,1.2,1.3 as well as --ipv4 and -k or --nosecure options). When I perform "curl -v 127.0.0.1" I get:


[...]$ curl -v 127.0.0.1
* Rebuilt URL to: 127.0.0.1/
* Trying 10.15.10.254...
* TCP_NODELAY set
* Connected to 10.15.10.254 (10.15.10.254) port 8080 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: none
CApath: none
* loaded libnssckbi.so
* NSS error -12263 (SSL_ERROR_RX_RECORD_TOO_LONG)
* SSL received a record that exceeded the maximum permissible length.
* Closing connection 0
curl: (35) SSL received a record that exceeded the maximum permissible length.

The issue appears to be NSS. Curl --version returns the following:

curl --version
curl 7.60.0 (x86_64-redhat-linux-gnu) libcurl/7.60.0 NSS/3.34 zlib/1.2.7 libpsl/0.7.0 (+libicu/50.1.2) libssh2/1.8.0 nghttp2/1.31.1
Release-Date: 2018-05-16
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz HTTP2 UnixSockets HTTPS-proxy PSL Metalink
[...]$

Trying to manually instapp 3.36 NSS RPM yeilds conflictas and it says it is already install.

Summary:

I've updated curl to 7.6 and yum does not work. Curl returns "SSL received a record that exceeded the maximum permissible length." and I get an NSS error -12263. Before going further into the rabbit hold, does NSS in fact need to be updated? None of the searches on the issue has yielded me with results to move forward. What suggestions do you have to further troubleshoot the issue? Thank you.

[avij]

No, don't update curl from some random third-party repository. That is step one. Revert back to the curl in 7.5. This is what you should have:

Code: Select all

$ rpm -q curl libcurl
curl-7.29.0-46.el7.x86_64
libcurl-7.29.0-46.el7.x86_64

[TrevorH]

And absolutely avoid the city-fan repo. It replaces core packages and will break your system. It is not a safe repo to use.

[linuxCurling]

Thank you guys. I've reverted the system back to stock image snapshot. I've had a discussion with coworkers and I'll avoid updating curl and avoid using the city repo. There was a lot of confusion as other sources recommend updating curl off the bat. I was able to get EPEL installed just by manually pointing to the URL as follows:

sudo yum install https://dl.fedoraproject.org/pub/epel/e ... noarch.rpm

Then performing the following for xRDP:

1. sudo yum -y install xrdp tigervnc-server
2. sudo systemctl start xrdp
3. sudo systemctl enable xrdp
4. sudo firewall-cmd --permanent --add-port=3389/tcp
5. sudo firewall-cmd --permanent --add-port=8080/tcp
6. sudo firewall-cmd --reload

YUM continues to work and I can proceed to install software. Thanks again.

[TrevorH]

FYI, CentOS have shipped the epel-release package in the 'extras' repo since CentOS 7 was first released. It's available via a simple yum install epel-release (may need --enablerepo=extras if you have disabled the enabled-by-default extras repo).

[stevemowbray]

The OP's system is actually RHEL so I don't think that applies.