Page 1 of 1

YUM Proxy and SSL - no longer working

Posted: 2019/10/07 18:39:25
by userOS9000
Hello, I've read several posts and articles covering this topic. Unfortunately none have resolved the issue I am facing. Here is some background info:

-Going through Company proxy
-Successfully have Red Hat, RHEL 7 working with YUM through the proxy
-Older version of openssl 1.02 used
-Created a CentOS 8 VM
-Copied YUM configuration from older RHEL 7
-Obtain errors shown below
-RHEL7 VM yum update, yum install, etc still works

YUM.conf:

proxy=https://serverip:port
proxy_username=username
proxy_password=password

From above I have also tried http:// instead of https:// (note: the Red Hat VM that is working has https:// in its yum.conf)

Tried to also add in ~./bashrc:
export http_proxy='http://username:password@serverip:8080'
export https_proxy='https://username:password@serverip:8080'
export ftp_proxy='http://username:password@serverip:8080'
export all_proxy='http://username:password@serverip:8080'
export ALL_PROXY='username:password@serverip:8080'
export no_proxy='http://username:password@serverip'

Note: I've remove the actual IP with "serverip" , username, and password respectively.

Performing sudo yum update -v I get:
CentOS-8 - AppStream 0.0 B/s | 0 B 00:00
Cannot download 'http://mirror.centos.org/centos/8/AppStream/x86_64/os/': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried.
repo: downloading from remote: BaseOS
error: Curl error (35): SSL connect error for http://mirrorlist.centos.org/?release=8 ... nfra=stock [error:1408F10B:SSL routines:ssl3_get_record:wrong version number] (http://mirrorlist.centos.org/?release=8 ... nfra=stock).
CentOS-8 - Base 0.0 B/s | 0 B 00:00
Cannot download 'http://mirrorlist.centos.org/?release=8 ... nfra=stock': Cannot prepare internal mirrorlist: Curl error (35): SSL connect error for http://mirrorlist.centos.org/?release=8 ... nfra=stock [error:1408F10B:SSL routines:ssl3_get_record:wrong version number].
repo: downloading from remote: extras
error: Curl error (35): SSL connect error for http://mirrorlist.centos.org/?release=8 ... nfra=stock [error:1408F10B:SSL routines:ssl3_get_record:wrong version number] (http://mirrorlist.centos.org/?release=8 ... nfra=stock).
CentOS-8 - Extras 0.0 B/s | 0 B 00:00
Cannot download 'http://mirrorlist.centos.org/?release=8 ... nfra=stock': Cannot prepare internal mirrorlist: Curl error (35): SSL connect error for http://mirrorlist.centos.org/?release=8 ... nfra=stock [error:1408F10B:SSL routines:ssl3_get_record:wrong version number].
I've performed a Wireshark capture on the VM adapter and observed HTTP/1.1 400 Bad Request when running:

openssl s_client -connect serverip:port -msg

Returns:
<<< ??? [length 0005]
48 54 54 50 2f
140154021869376:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:332:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 320 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
The real oddity is that when I got to firefox and type in the proxy manually and prompt me for my username and password I am able to get to google and search around fine. I can even type in the above mirrors and access the webpage for CentOS repositories. I am really at a loss and could use any help suggestion you guys can provide. Thanks.

Re: YUM Proxy and SSL - no longer working

Posted: 2019/10/08 14:12:37
by TrevorH
error: Curl error (35): SSL connect error for http://mirrorlist.centos.org/?release=8 ... nfra=stock [error:1408F10B:SSL routines:ssl3_get_record:wrong version number] (http://mirrorlist.centos.org/?release=8 ... nfra=stock).
CentOS-8 - Base 0.0 B/s | 0 B 00:00
That looks like the sort of error you get from openssl when you point your web browser at e.g. https://www.google.com:80/ instead of 443.

Re: YUM Proxy and SSL - no longer working

Posted: 2019/10/09 19:22:01
by userOS9000
Thanks for the response Trevor. Fortunately I was able to figure it out. I needed to go through cntlm to handle authentication. I followed the steps here:

viewtopic.php?t=22455
(See 3rd post)

Basically, by pointing the yum proxy to the centlm proxy and then within centlm conig point to the company proxy, it worked.