Ubuntu Trunk Checksum failed
-
@reflexxion It’s ssl related, but not from FOG’s perspective. Something on your system is blocking ssl requests (or transforming it on reception)
-
@reflexxion Try
openssl s_client -connect fogproject.org:443(just hit Ctrl-c to get back to the shell) and post the fully output you see here… -
root@FogWest:~/svn/trunk/bin# openssl s_client -connect fogproject.org:443 CONNECTED(00000003) depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA verify return:1 depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Domain Validation CA - SHA256 - G2 verify return:1 depth=0 OU = Domain Control Validated, CN = www.fogproject.org verify return:1 --- Certificate chain 0 s:/OU=Domain Control Validated/CN=www.fogproject.org i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2 i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA 2 s:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA --- Server certificate -----BEGIN CERTIFICATE----- MIIGHzCCBQegAwIBAgISESEX9Cbj3NHROwUOEHFlfU6JMA0GCSqGSIb3DQEBCwUA MGAxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTYwNAYD VQQDEy1HbG9iYWxTaWduIERvbWFpbiBWYWxpZGF0aW9uIENBIC0gU0hBMjU2IC0g RzIwHhcNMTUwNTEyMjAzNzUyWhcNMTYwNTEyMjAzNzUyWjBAMSEwHwYDVQQLExhE b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxGzAZBgNVBAMTEnd3dy5mb2dwcm9qZWN0 Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMMuzuXvvvV4q2W8 AzmzpOFS0O4DIoI6CfPTORZBGKqqC8FGdo1y52wXM+UplDR11rd0QdVX8ejmGfwt 8dX7X1saj+zS5saeddBnZB/YjLwNc0mU5KkcTaECLTFYtdvpk2TYDRBTHbAxjU6o IFyUCeFt4gzddBfytzVdGxmZ3PqQNEqXb7/Oq4V0T6aSECb5EXXgqLEgU+JJPDvl 8qLgGC4Mavx6/4GYBS+mF4ByetsaBL1EcJmDCEggTXRK5nHmiqIsThfmJjGhqTY2 +AP3tu7A0z4Zm0gXt4WwvT/MUGBR7l/tmNJR+BCRGsjdCUKXvZhFwnfqgP2D69iJ 4E1dqsECAwEAAaOCAvEwggLtMA4GA1UdDwEB/wQEAwIFoDBJBgNVHSAEQjBAMD4G BmeBDAECATA0MDIGCCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNv bS9yZXBvc2l0b3J5LzCCAUgGA1UdEQSCAT8wggE7ghJ3d3cuZm9ncHJvamVjdC5v cmeCE2Jsb2cuZm9ncHJvamVjdC5vcmeCE2RlbW8uZm9ncHJvamVjdC5vcmeCEmRl di5mb2dwcm9qZWN0Lm9yZ4IUZmlsZXMuZm9ncHJvamVjdC5vcmeCFWZvcnVtcy5m b2dwcm9qZWN0Lm9yZ4ISZ2l0LmZvZ3Byb2plY3Qub3JnghVtaXJyb3IuZm9ncHJv amVjdC5vcmeCE25ld3MuZm9ncHJvamVjdC5vcmeCFXBvcnRhbC5mb2dwcm9qZWN0 Lm9yZ4IWcHJldmlldy5mb2dwcm9qZWN0Lm9yZ4ITdGVzdC5mb2dwcm9qZWN0Lm9y Z4IRdm0uZm9ncHJvamVjdC5vcmeCE3dpa2kuZm9ncHJvamVjdC5vcmeCDmZvZ3By b2plY3Qub3JnMAkGA1UdEwQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF BwMCMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20v Z3MvZ3Nkb21haW52YWxzaGEyZzIuY3JsMIGUBggrBgEFBQcBAQSBhzCBhDBHBggr BgEFBQcwAoY7aHR0cDovL3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvZ3Nk b21haW52YWxzaGEyZzJyMS5jcnQwOQYIKwYBBQUHMAGGLWh0dHA6Ly9vY3NwMi5n bG9iYWxzaWduLmNvbS9nc2RvbWFpbnZhbHNoYTJnMjAdBgNVHQ4EFgQUcRo84Nto hT9tDrVEUVfsg74fgUUwHwYDVR0jBBgwFoAU6k581IAt5RWBhiaMgm3AmKTPlw8w DQYJKoZIhvcNAQELBQADggEBAAa4CLixH0WBSV7S5pk0HPTklIK1IuKXseVlcGU7 j3xXHnQKdXpmH/iBDUYgHrMxdxxGTP8B0ZyajB6UNX/Qie/2LOFjo8VCsFlQ/2G0 8bRltd9kuf0GvaJByqTiGf3o2dNNbcmvWbl537ohd8Iry0O9GfiTel7+TShYx80j egBf/ob3BfTms1K0uFhenisfyOYPIvjFC41bDMhJpf1cc7K+S4RSjdqtL+cxTe1s 9as//voRxtCjAB3zdi9sXEORTcON3pexRF4xNIcUBOYwf5J6ylJYfFDhGbx3V9SF V7Q+yRhKgjwR7QQTl9yZfdVikcHag14y6sndYKHLj0RuU68= -----END CERTIFICATE----- subject=/OU=Domain Control Validated/CN=www.fogproject.org issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2 --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 4268 bytes and written 431 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 3D9E36636E42207F6A4725680FE0318953437B0C138AC009E40AC77D993A254E Session-ID-ctx: Master-Key: 3D99DF9630DCE2E4B51EBA407AAA491F771EA67EDF61C1448756E64C38A09B8129B9C729EEE576420DA2227766A8F850 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 0c 1b 69 ce e2 db 66 10-f5 a9 81 82 76 9a 7c 34 ..i...f.....v.|4 0010 - 6f 03 24 99 72 2d c4 0f-0d 8b bb 5d 17 1b 1e 81 o.$.r-.....].... 0020 - e0 3d c0 28 3d ea 7d b9-0d 3c e5 bb e8 70 08 63 .=.(=.}..<...p.c 0030 - 20 3e 62 8f a2 ef 5f 8e-54 69 bf de 75 41 c4 e2 >b..._.Ti..uA.. 0040 - c5 72 7b 8d 38 3b 49 b5-d9 24 8f 88 22 a7 54 46 .r{.8;I..$..".TF 0050 - 9e 77 73 cc 00 3a 34 39-03 88 61 2d 3c d9 36 14 .ws..:49..a-<.6. 0060 - 75 45 ad 41 da ee 1a 7e-67 57 39 a0 bc d5 fe 69 uE.A...~gW9....i 0070 - 71 b8 93 16 20 de 65 56-2c be 32 80 9c cf 4a 19 q... .eV,.2...J. 0080 - 9c 28 35 67 96 f6 3d 2f-0d 6f bb 7a 55 18 ff e7 .(5g..=/.o.zU... 0090 - 8e 68 58 af 41 9e dd 07-5e f7 f7 4b d9 f8 44 33 .hX.A...^..K..D3 00a0 - ab 71 aa e6 4c ad cb f2-e1 6f ae e6 6e 2c 9b 71 .q..L....o..n,.q Start Time: 1458575172 Timeout : 300 (sec) Verify return code: 0 (ok) --- -
@reflexxion Ok, and what about verbose curl output:
curl -vvko "checksums" https://fogproject.org/inits/index.phpMaybe this is related: https://sourceforge.net/p/curl/bugs/1319/
-
root@FogWest:~/svn/trunk/bin# curl -vvko "checksums" https://fogproject.org/inits/index.php * Hostname was NOT found in DNS cache % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 162.213.199.177... * Connected to fogproject.org (162.213.199.177) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): } [data not shown] * SSLv3, TLS handshake, Server hello (2): { [data not shown] * SSLv3, TLS handshake, CERT (11): { [data not shown] * SSLv3, TLS handshake, Server key exchange (12): { [data not shown] * SSLv3, TLS handshake, Server finished (14): { [data not shown] * SSLv3, TLS handshake, Client key exchange (16): } [data not shown] * SSLv3, TLS change cipher, Client hello (1): } [data not shown] * SSLv3, TLS handshake, Finished (20): } [data not shown] * Unknown SSL protocol error in connection to fogproject.org:443 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 * Closing connection 0 curl: (35) Unknown SSL protocol error in connection to fogproject.org:443 root@FogWest:~/svn/trunk/bin# -
@reflexxion Which version of curl and openssl?
dpkg -l | grep -e " curl" -e " openssl" -
root@FogWest:~/svn/trunk/bin# dpkg -l | grep -e "curl" -e "openssl" ii curl 7.35.0-1ubuntu2.6 i386 command line tool for transferring data with URL syntax ii libcurl3:i386 7.35.0-1ubuntu2.6 i386 easy-to-use client-side URL transfer library (OpenSSL flavour) ii libcurl3-gnutls:i386 7.35.0-1ubuntu2.6 i386 easy-to-use client-side URL transfer library (GnuTLS flavour) ii libcurl4-openssl-dev:i386 7.35.0-1ubuntu2.6 i386 development files and documentation for libcurl (OpenSSL flavour) ii libgnutls-openssl27:i386 2.12.23-12ubuntu2.5 i386 GNU TLS library - OpenSSL wrapper ii openssl 1.0.2g-1+deb.sury.org~trusty+1 i386 Secure Sockets Layer toolkit - cryptographic utility ii php5-curl 5.6.19+dfsg-1+deb.sury.org~trusty+1 i386 CURL module for php5 ii python-openssl 0.13-2ubuntu6 i386 Python 2 wrapper around the OpenSSL library ii python3-pycurl 7.19.3-0ubuntu3 i386 Python 3 bindings to libcurl root@FogWest:~/svn/trunk/bin# -
@reflexxion Ok, I have: curl
7.35.0-1ubuntu2.6but openssl1.0.1f-1ubuntu2.18on one of my test servers (curl downloading the checksums fine!) -
@Sebastian-Roth do you know how I can downgrade to test?
-
I have the same openssl version on my production system.
-
@reflexxion Before downgrading you might want to try forcing curl to use different SSL protocol versions and/or cipher suites:
curl --tlsv1.0 -ko "checksums" https://fogproject.org/inits/index.php curl --tlsv1.1 -ko "checksums" https://fogproject.org/inits/index.php curl --tlsv1.2 -ko "checksums" https://fogproject.org/inits/index.php curl --tlsv1 --ciphers AES256-SHA -ko "checksums" https://fogproject.org/inits/index.phpSee if any of those is working for you…
-
root@FogWest:~/svn/trunk/bin# curl --tlsv1 --ciphers AES256-SHA -ko "checksums" https://fogproject.org/inits/index.php % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 277 0 277 0 0 454 0 --:--:-- --:--:-- --:--:-- 454 root@FogWest:~/svn/trunk/bin# curl --tlsv1.0 -ko "checksums" https://fogproject.org/inits/index.php % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 277 0 277 0 0 498 0 --:--:-- --:--:-- --:--:-- 499 root@FogWest:~/svn/trunk/bin# curl --tlsv1.1 -ko "checksums" https://fogproject.org/inits/index.php % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 277 0 277 0 0 481 0 --:--:-- --:--:-- --:--:-- 480 root@FogWest:~/svn/trunk/bin# curl --tlsv1.2 -ko "checksums" https://fogproject.org/inits/index.php % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (35) Unknown SSL protocol error in connection to fogproject.org:443 root@FogWest:~/svn/trunk/bin# curl --tlsv1 --ciphers AES256-SHA -ko "checksums" https://fogproject.org/inits/index.php % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 277 0 277 0 0 401 0 --:--:-- --:--:-- --:--:-- 400 root@FogWest:~/svn/trunk/bin# -
@reflexxion Ok, TLSv1.1 seams to work. So as a quick fix you can force curl to always use TLSv1.1 encrpytion via curlrc:
echo "tlsv1.1" >> ~/.curlrc
Then try running the installer again! -
@Sebastian-Roth THAT FIXED IT SIR! Thanks! Not sure if this has been helpful diagnostics for you guys… but I’ve certainly learned a lot! Thanks again!
-
@Sebastian-Roth Well, it fixed the install issue. The kernel update portion of the GUI is still not functional (not significant I don’t think) and the “estimated fog sites” is not working as well. No worries with that stuff… just thought I’d report it!
-
@reflexxion Thanks for your patients trying all the things out. This will definitely help others who run into similar issues. But I guess not very many people have the package repo deb.sury.org added like you have. Seams like others have trouble with curl and ssl versions as well: https://sourceforge.net/p/curl/bugs/1319/
@Quazz Which “same” version of openssl did you mean?
1.0.1f-1ubuntu2.18or @reflexxion’s1.0.2g-1+deb.sury.org~trusty+1?? If it is 1.0.2… then which version of curl you have? -
@Sebastian-Roth The same as reflexxion, but my curl is newer.
I have : 7.43.0-1ubuntu2.1
-
Good to know. So it seams to only cause problems with a distinct combination of curl and openssl version(s). Possibly the newer curl version works around an openssl bug or the other way round…
