Salt: Download of SSLv3/SNI fails

We hit this on a pkgrepo.managed key_url fetch, which failed.

Several places in Salt have been moved over to requests, since urllib2 is not adequate to the task most of the time. Do you know of any issues with moving this code to requests?

That's what I would recommend. Salt deps requests as of 2014.7, so that will be readily available for use.

This is going to be a fairly big job as we're using urllib in a number of places, especially in exec modules.

Salt cloud might be a good place to start with getting this switched over.

(Note that we worked with the docker folks to work around this -- they stopped using SNI. But I'm sure this will come up again sooner as IP space gets more precious and more people demand HTTPS.)

It looks like get.docker.com/gpg does not support SSLv3 anymore due to POODLE. Somehow it looks like current implementation cannot handle TLS either.

As of this morning we are hitting this issue in pkgrepo.managed going to https://deb.nodesource.com. This was working yesterday evening so I'm assuming nodesource has disabled SSLv3 overnight. The particular issue is the key_url pointing to https:://deb.nodesource.com/gpgkey/nodesource.gpg.key:

----------
          ID: repo-nodesource
    Function: pkgrepo.managed
        Name: deb [arch=amd64] https://deb.nodesource.com/node_4.x trusty main
      Result: False
     Comment: Failed to configure repo 'deb [arch=amd64] https://deb.nodesource.com/node_4.x trusty main': [Errno 1] _ssl.c:510: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
     Started: 12:28:07.317906
    Duration: 178.376 ms
     Changes:

This is with 2015.8.0 and 2016.3.3.

Salt Version:
           Salt: 2016.3.3

Dependency Versions:
           cffi: Not Installed
       cherrypy: Not Installed
       dateutil: 1.5
          gitdb: 0.5.4
      gitpython: 0.3.2 RC1
          ioflo: Not Installed
         Jinja2: 2.7.2
        libgit2: Not Installed
        libnacl: Not Installed
       M2Crypto: 0.21.1
           Mako: 0.9.1
   msgpack-pure: Not Installed
 msgpack-python: 0.4.6
   mysql-python: 1.2.3
      pycparser: Not Installed
       pycrypto: 2.6.1
         pygit2: Not Installed
         Python: 2.7.6 (default, Jun 22 2015, 17:58:13)
   python-gnupg: Not Installed
         PyYAML: 3.10
          PyZMQ: 14.4.0
           RAET: Not Installed
          smmap: 0.8.2
        timelib: Not Installed
        Tornado: 4.2.1
            ZMQ: 4.0.4

System Versions:
           dist: Ubuntu 14.04 trusty
        machine: x86_64
        release: 3.13.0-83-generic
         system: Linux
        version: Ubuntu 14.04 trusty

The good news is that the gpg key url for nodesource does not redirect to https, so for now we can set key_url to the http location.

Is there another way to handle this besides fetching the key over http and not https?

I ran into the same problem starting at about 10:30am PT yesterday.
replacing https with http in the key_url fixes this.

Per the above discussion the problem here could be related to SNI. Looking at the urllib3 docs ( http://urllib3.readthedocs.io/en/latest/advanced-usage.html ) I see it supports SNI but requires python >= 2.7.9. My ubuntu 14.04 server has python 2.7.6.

Looking a little more I see by python 2 and python 3 are installed on ubuntu 14.04. But python 3 is not supported by salt yet per #11995

Take a look at: #33782
I did some digging on RedHat/CentOS 6 and also on Amazon Linux and there's some solutions there that work for me on at least RedHat 6.

ZD-988

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.