You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Curl fails to download files from certain secure URLs because it is unable to negotiate a secure connection.
What behaviour did you expect instead
The file would be downloaded.
Output log
Here is output from the puppet run that failed.
Error: Execution of '/usr/bin/curl https://releases.hashicorp.com/consul/0.7.2/consul_0.7.2_linux_amd64.zip -o /tmp/consul-0.7.2.zip_20170413-3078-9nyjlb -L --max-redirs 5' returned 35: % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (35) Peer reports incompatible or unsupported protocol version.
Error: /Stage[main]/Consul::Install/Archive[/opt/consul/archives/consul-0.7.2.zip]: Could not evaluate: Puppet::Util::Log requires a message
Notice: /Stage[main]/Consul::Install/File[/opt/consul/archives/consul-0.7.2/consul]: Dependency Archive[/opt/consul/archives/consul-0.7.2.zip] has failures: true
Warning: /Stage[main]/Consul::Install/File[/opt/consul/archives/consul-0.7.2/consul]: Skipping because of failed dependencies
Here is output from running curl directly on the command line. Curl will fail.
$ curl -v https://releases.hashicorp.com/consul/0.7.2/consul_0.7.2_linux_amd64.zip
* About to connect() to releases.hashicorp.com port 443 (#0)
* Trying 151.101.53.183...
* Connected to releases.hashicorp.com (151.101.53.183) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* NSS error -12190 (SSL_ERROR_PROTOCOL_VERSION_ALERT)
* Peer reports incompatible or unsupported protocol version.
* Error in TLS handshake, trying SSLv3...
> GET /consul/0.7.2/consul_0.7.2_linux_amd64.zip HTTP/1.1
> User-Agent: curl/7.29.0
> Host: releases.hashicorp.com
> Accept: */*
>
* Connection died, retrying a fresh connect
* Closing connection 0
* Issue another request to this URL: 'https://releases.hashicorp.com/consul/0.7.2/consul_0.7.2_linux_amd64.zip'
* About to connect() to releases.hashicorp.com port 443 (#1)
* Trying 151.101.53.183...
* Connected to releases.hashicorp.com (151.101.53.183) port 443 (#1)
* TLS disabled due to previous handshake failure
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
* Cannot communicate securely with peer: no common encryption algorithm(s).
* Closing connection 1
curl: (35) Peer reports incompatible or unsupported protocol version.
If curl is forced to use TLSv1.2 then it will succeed. The command run needs to be modified to include the --tlsv1.2 command line option.
$ curl -v --tlsv1.2 https://releases.hashicorp.com/consul/0.7.2/consul_0.7.2_linux_amd64.zip -o file.zip
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* About to connect() to releases.hashicorp.com port 443 (#0)
* Trying 151.101.53.183...
* Connected to releases.hashicorp.com (151.101.53.183) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=s.ssl.fastly.net,O="Fastly, Inc",L=San Francisco,ST=California,C=US
* start date: Mar 13 17:36:03 2017 GMT
* expire date: Jun 29 17:46:45 2017 GMT
* common name: s.ssl.fastly.net
* issuer: CN=GlobalSign CloudSSL CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE
> GET /consul/0.7.2/consul_0.7.2_linux_amd64.zip HTTP/1.1
> User-Agent: curl/7.29.0
> Host: releases.hashicorp.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Cache-Control: max-age=31536000, stale-white-revalidate=86400, stale-if-error=604800
< Content-Disposition: inline
< Last-Modified: Wed, 01 Mar 2017 16:50:28 GMT
< ETag: "88d28f7fa018f38a2c69270429edfb7d"
< Content-Type: application/zip
< Via: 1.1 varnish
< Fastly-Debug-Digest: 843c9aaa95a10c837e126a4f53da443691a82e29651fa78a6e465e10360a260e
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< X-Frame-Options: sameorigin
< Content-Length: 7518735
< Accept-Ranges: bytes
< Date: Thu, 13 Apr 2017 16:56:51 GMT
< Via: 1.1 varnish
< Connection: keep-alive
< X-Served-By: cache-iad2130-IAD, cache-sea1049-SEA
< X-Cache: HIT, HIT
< X-Cache-Hits: 0, 0
< X-Timer: S1492102612.724064,VS0,VE3
<
{ [data not shown]
100 7342k 100 7342k 0 0 6025k 0 0:00:01 0:00:01 --:--:-- 6028k
* Connection #0 to host releases.hashicorp.com left intact
Any additional information you'd like to impart
I think the solution would be to add an option to the archive resource definition that allows for setting the protocol version to use for secure downloads. Then curl could check this option and use the command line option to ensure that it is using the correct protocol.
The text was updated successfully, but these errors were encountered:
Affected Puppet, Ruby, OS and module versions/distributions
How to reproduce (e.g Puppet code you use)
I am using the solarkennedy-consul module. An issue was filed regarding this problem on that project but was closed.
voxpupuli/puppet-consul#320
What are you seeing
Curl fails to download files from certain secure URLs because it is unable to negotiate a secure connection.
What behaviour did you expect instead
The file would be downloaded.
Output log
Here is output from the puppet run that failed.
Here is output from running curl directly on the command line. Curl will fail.
If curl is forced to use TLSv1.2 then it will succeed. The command run needs to be modified to include the
--tlsv1.2command line option.Any additional information you'd like to impart
I think the solution would be to add an option to the archive resource definition that allows for setting the protocol version to use for secure downloads. Then curl could check this option and use the command line option to ensure that it is using the correct protocol.
The text was updated successfully, but these errors were encountered: