failure to fetch TA over https: TA can be fetched by curl fine.

Question

failure to fetch TA over https: TA can be fetched by curl fine.

ggm-at-apnic opened this issue 3 years ago · comments

This is a Mac OSX Big sur build of the client code.

ggm@ggm-802382 rpki-client % /usr/local/sbin/rpki-client -B -c -j -o -v
rpki-client: ta/apnic: pulling from https://rpki.apnic.net/repository/apnic-rpki-root-iana-origin.cer
rpki-client: https://rpki.apnic.net/repository/apnic-rpki-root-iana-origin.cer: server closed connection
rpki-client: ta/apnic: load from network failed, retry
rpki-client: ta/apnic: pulling from rsync://rpki.apnic.net/repository/apnic-rpki-root-iana-origin.cer
rpki-client: ta/apnic: loaded from network

curl -v on the same url:

ggm@ggm-802382 rpki-client % curl -v -o /tmp/apnic.cer -L https://rpki.apnic.net/repository/apnic-rpki-root-iana-origin.cer
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 2001:dd8:9:2::101:18...
* TCP_NODELAY set
* Connected to rpki.apnic.net (2001:dd8:9:2::101:18) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [228 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [87 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [2714 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [589 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=rpki.apnic.net
*  start date: Mar 24 02:46:43 2021 GMT
*  expire date: Jun 22 02:46:43 2021 GMT
*  subjectAltName: host "rpki.apnic.net" matched cert's "rpki.apnic.net"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
> GET /repository/apnic-rpki-root-iana-origin.cer HTTP/1.1
> Host: rpki.apnic.net
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Thu, 15 Apr 2021 00:49:38 GMT
< Server: Apache/2.2.15 (CentOS)
< Last-Modified: Wed, 26 Aug 2020 01:30:38 GMT
< ETag: "613ef-4bb-5adbdc456cb80"
< Accept-Ranges: bytes
< Content-Length: 1211
< Set-Cookie: Persistence-Token=!YgLdXj2lHoDXBrUWwXnSi27bn6LXmBdtzMP2k77kfNo5UxkmuJh0MZsr0ID88slIiXqq4melz+nZBKeyt4yU7Mv/Uw6xBzIyeK7anREi; path=/; Httponly; Secure
< Vary: Accept-Encoding
<
{ [1211 bytes data]
100  1211  100  1211    0     0  23745      0 --:--:-- --:--:-- --:--:-- 23745
* Connection #0 to host rpki.apnic.net left intact
* Closing connection 0
ggm@ggm-802382 rpki-client % ls -ltr /tmp/apnic.cer
-rw-r--r--  1 ggm  wheel  1211 15 Apr 10:49 /tmp/apnic.cer
ggm@ggm-802382 rpki-client %

the git log: (to show the version I am on)

commit 316298269a71e2e69191f14a046bf4c1f2ec9d61 (HEAD -> master, origin/master, origin/HEAD)
Author: Claudio Jeker <claudio@openbsd.org>
Date:   Wed Apr 14 20:50:59 2021 +0200

    Adjust repo to work after the addition of version.h

git log of the openBSD code included by autogen.sh:

commit be3e2a68f6769ad25bb31321e1dd82c7cbe57f2a (HEAD -> master, origin/master, origin/HEAD)
Author: benno <>
Date:   Wed Apr 14 18:05:47 2021 +0000

    move the RPKI_VERSION define into its own version.h file, helps portable.
    ok claudio@

George Michaelson · Answer 1 · Thu Apr 15 2021 08:51:53 GMT+0800 (China Standard Time)

And, this doesn't happen on the same git pull built on FreeBSD. So, it looks to me like a TLS problem specific to OSX

Claudio Jeker · Answer 2 · Thu Apr 15 2021 15:25:53 GMT+0800 (China Standard Time)

I see the same issue on my older mac. Will see what I can figure out.

Claudio Jeker · Answer 3 · Thu Apr 15 2021 18:39:33 GMT+0800 (China Standard Time)

OK, the issue is in the http.c state machine and the way it requires an extra loop via poll in some cases.
On Mac these short requests are done in a single read and the extra loop via poll picks up the POLLHUP before finishing the transfer.

I have a larger rewrite of the http.c that fixes this issue. Will see if I can peel out a minimal fix that can go in now .

Claudio Jeker · Answer 4 · Thu Apr 15 2021 23:42:23 GMT+0800 (China Standard Time)

Fix for this was committed upstream. So if you update now it should work.

George Michaelson · Answer 5 · Fri Apr 16 2021 06:46:49 GMT+0800 (China Standard Time)

I can’t test: ***@***.*** rpki-client-portable % sh -x ./update.sh + set -e + openbsd_branch=master ++ git tag --points-at ++ head -1 + tag=7.0 + '[' -n 7.0 ']' + openbsd_branch=rpki-client-7.0 + '[' -n '' ']' + echo 'pulling upstream openbsd source' pulling upstream openbsd source + '[' '!' -d openbsd ']' + '[' -d openbsd/.git ']' + cd openbsd/src + git fetch + git checkout rpki-client-7.0 error: pathspec 'rpki-client-7.0' did not match any file(s) known to git ***@***.*** rpki-client-portable %

George Michaelson · Answer 6 · Fri Apr 16 2021 06:53:27 GMT+0800 (China Standard Time)

On 16 Apr 2021, at 8:46 am, George Michaelson ***@***.***> wrote: I can’t test: ***@***.*** rpki-client-portable % sh -x ./update.sh + set -e + openbsd_branch=master ++ git tag --points-at ++ head -1 + tag=7.0 + '[' -n 7.0 ']' + openbsd_branch=rpki-client-7.0 + '[' -n '' ']' + echo 'pulling upstream openbsd source' pulling upstream openbsd source + '[' '!' -d openbsd ']' + '[' -d openbsd/.git ']' + cd openbsd/src + git fetch + git checkout rpki-client-7.0 error: pathspec 'rpki-client-7.0' did not match any file(s) known to git ***@***.*** rpki-client-portable %

I hacked update.sh and worked around this. The OSX fix for RRDP is working fine now. Thanks ***@***.*** rpki-client % /usr/local/sbin/rpki-client -B -c -j -o -v -r rpki-client: ta/apnic: pulling from https://rpki.apnic.net/repository/apnic-rpki-root-iana-origin.cer rpki-client: ta/apnic-as0: pulling from https://rpki-as0.apnic.net/repository/APNIC-AS0-AP/apnic-rpki-root-as0-origin.cer rpki-client: ta/apnic-as0: loaded from network rpki-client: https://rrdp-as0.apnic.net/notification.xml: pulling from network rpki-client: https://rrdp-as0.apnic.net/notification.xml: downloading snapshot rpki-client: ta/apnic: loaded from network rpki-client: https://rrdp.apnic.net/notification.xml: pulling from network rpki-client: https://rrdp-as0.apnic.net/notification.xml: loaded from network rpki-client: https://rrdp.apnic.net/notification.xml: downloading 1251 deltas