juju-core

log sending broke between 1.25.6 and 1.25.9 on trusty

Bug #1654528 reported by Junien F
34
This bug affects 6 people
Affects Status Importance Assigned to Milestone
juju-core
Fix Released
Critical
Roger Peppe
juju-core 1.25.10

Bug Description

Hi,

It would appear that juju log forwarding on 1.25.9 is broken on Trusty. The following lines appear in syslog on machine 0 :

rsyslogd-2083: gnutls returned error on handshake: Could not negotiate a supported cipher suite.

I think the root cause is that the agents are able to use only a handful of ciphers https://github.com/juju/utils/blob/1.25/tls.go#L20

This appears to be the case since https://github.com/juju/juju/commit/a8c812da6add3f3d113d0a27c363cda56bfb3286#diff-29cf702f1f3ee55354dc999b19a2e391

On trusty, I have the following packages :

$ dpkg -l|grep gnutls
ii gnutls-bin 3.0.11+really2.12.23-12ubuntu2.5 amd64 GNU TLS library - commandline utilities
ii libcurl3-gnutls:amd64 7.35.0-1ubuntu2.10 amd64 easy-to-use client-side URL transfer library (GnuTLS flavour)
ii libgnutls-openssl27:amd64 2.12.23-12ubuntu2.5 amd64 GNU TLS library - OpenSSL wrapper
ii libgnutls26:amd64 2.12.23-12ubuntu2.5 amd64 GNU TLS library - runtime library
ii rsyslog-gnutls 7.4.4-1ubuntu2.6 amd64 TLS protocol support for rsyslog

and apparently, the following ciphers :

$ gnutls-cli --list
Cipher suites:
TLS_ANON_DH_ARCFOUR_MD5 0x00, 0x18 SSL3.0
TLS_ANON_DH_3DES_EDE_CBC_SHA1 0x00, 0x1b SSL3.0
TLS_ANON_DH_AES_128_CBC_SHA1 0x00, 0x34 SSL3.0
TLS_ANON_DH_AES_256_CBC_SHA1 0x00, 0x3a SSL3.0
TLS_ANON_DH_CAMELLIA_128_CBC_SHA1 0x00, 0x46 TLS1.0
TLS_ANON_DH_CAMELLIA_256_CBC_SHA1 0x00, 0x89 TLS1.0
TLS_ANON_DH_AES_128_CBC_SHA256 0x00, 0x6c TLS1.2
TLS_ANON_DH_AES_256_CBC_SHA256 0x00, 0x6d TLS1.2
TLS_PSK_SHA_ARCFOUR_SHA1 0x00, 0x8a TLS1.0
TLS_PSK_SHA_3DES_EDE_CBC_SHA1 0x00, 0x8b TLS1.0
TLS_PSK_SHA_AES_128_CBC_SHA1 0x00, 0x8c TLS1.0
TLS_PSK_SHA_AES_256_CBC_SHA1 0x00, 0x8d TLS1.0
TLS_DHE_PSK_SHA_ARCFOUR_SHA1 0x00, 0x8e TLS1.0
TLS_DHE_PSK_SHA_3DES_EDE_CBC_SHA1 0x00, 0x8f TLS1.0
TLS_DHE_PSK_SHA_AES_128_CBC_SHA1 0x00, 0x90 TLS1.0
TLS_DHE_PSK_SHA_AES_256_CBC_SHA1 0x00, 0x91 TLS1.0
TLS_SRP_SHA_3DES_EDE_CBC_SHA1 0xc0, 0x1a TLS1.0
TLS_SRP_SHA_AES_128_CBC_SHA1 0xc0, 0x1d TLS1.0
TLS_SRP_SHA_AES_256_CBC_SHA1 0xc0, 0x20 TLS1.0
TLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA1 0xc0, 0x1c TLS1.0
TLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA1 0xc0, 0x1b TLS1.0
TLS_SRP_SHA_DSS_AES_128_CBC_SHA1 0xc0, 0x1f TLS1.0
TLS_SRP_SHA_RSA_AES_128_CBC_SHA1 0xc0, 0x1e TLS1.0
TLS_SRP_SHA_DSS_AES_256_CBC_SHA1 0xc0, 0x22 TLS1.0
TLS_SRP_SHA_RSA_AES_256_CBC_SHA1 0xc0, 0x21 TLS1.0
TLS_DHE_DSS_ARCFOUR_SHA1 0x00, 0x66 TLS1.0
TLS_DHE_DSS_3DES_EDE_CBC_SHA1 0x00, 0x13 SSL3.0
TLS_DHE_DSS_AES_128_CBC_SHA1 0x00, 0x32 SSL3.0
TLS_DHE_DSS_AES_256_CBC_SHA1 0x00, 0x38 SSL3.0
TLS_DHE_DSS_CAMELLIA_128_CBC_SHA1 0x00, 0x44 TLS1.0
TLS_DHE_DSS_CAMELLIA_256_CBC_SHA1 0x00, 0x87 TLS1.0
TLS_DHE_DSS_AES_128_CBC_SHA256 0x00, 0x40 TLS1.2
TLS_DHE_DSS_AES_256_CBC_SHA256 0x00, 0x6a TLS1.2
TLS_DHE_RSA_3DES_EDE_CBC_SHA1 0x00, 0x16 SSL3.0
TLS_DHE_RSA_AES_128_CBC_SHA1 0x00, 0x33 SSL3.0
TLS_DHE_RSA_AES_256_CBC_SHA1 0x00, 0x39 SSL3.0
TLS_DHE_RSA_CAMELLIA_128_CBC_SHA1 0x00, 0x45 TLS1.0
TLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 0x00, 0x88 TLS1.0
TLS_DHE_RSA_AES_128_CBC_SHA256 0x00, 0x67 TLS1.2
TLS_DHE_RSA_AES_256_CBC_SHA256 0x00, 0x6b TLS1.2
TLS_RSA_NULL_MD5 0x00, 0x01 SSL3.0
TLS_RSA_NULL_SHA1 0x00, 0x02 SSL3.0
TLS_RSA_NULL_SHA256 0x00, 0x3b TLS1.2
TLS_RSA_EXPORT_ARCFOUR_40_MD5 0x00, 0x03 SSL3.0
TLS_RSA_ARCFOUR_SHA1 0x00, 0x05 SSL3.0
TLS_RSA_ARCFOUR_MD5 0x00, 0x04 SSL3.0
TLS_RSA_3DES_EDE_CBC_SHA1 0x00, 0x0a SSL3.0
TLS_RSA_AES_128_CBC_SHA1 0x00, 0x2f SSL3.0
TLS_RSA_AES_256_CBC_SHA1 0x00, 0x35 SSL3.0
TLS_RSA_CAMELLIA_128_CBC_SHA1 0x00, 0x41 TLS1.0
TLS_RSA_CAMELLIA_256_CBC_SHA1 0x00, 0x84 TLS1.0
TLS_RSA_AES_128_CBC_SHA256 0x00, 0x3c TLS1.2
TLS_RSA_AES_256_CBC_SHA256 0x00, 0x3d TLS1.2
Certificate types: CTYPE-X.509, CTYPE-OPENPGP
Protocols: VERS-SSL3.0, VERS-TLS1.0, VERS-TLS1.1, VERS-TLS1.2
Ciphers: AES-256-CBC, AES-128-CBC, 3DES-CBC, DES-CBC, ARCFOUR-128, ARCFOUR-40, RC2-40, CAMELLIA-256-CBC, CAMELLIA-128-CBC, NULL
MACs: SHA1, MD5, SHA256, SHA384, SHA512, MD2, RIPEMD160, MAC-NULL
Key exchange algorithms: ANON-DH, RSA, RSA-EXPORT, DHE-RSA, DHE-DSS, SRP-DSS, SRP-RSA, SRP, PSK, DHE-PSK
Compression: COMP-DEFLATE, COMP-NULL
Public Key Systems: RSA, DSA
PK-signatures: SIGN-RSA-SHA1, SIGN-RSA-SHA224, SIGN-RSA-SHA256, SIGN-RSA-SHA384, SIGN-RSA-SHA512, SIGN-RSA-RMD160, SIGN-DSA-SHA1, SIGN-DSA-SHA224, SIGN-DSA-SHA256, SIGN-RSA-MD5, SIGN-RSA-MD2

None of these ciphers match what's in tls.go (no ECDHE).

Hence, log forwarding doesn't work. Could this be fixed ?

Thanks

Tags: canonical-is
Junien F (axino)
summary: - log forwarding broke between 1.25.6and 1.25.9 on trusty
+ log forwarding broke between 1.25.6 and 1.25.9 on trusty
Junien F (axino)
summary: - log forwarding broke between 1.25.6 and 1.25.9 on trusty
+ log sending broke between 1.25.6 and 1.25.9 on trusty
Richard Harding (rharding)
Changed in juju-core:
status: New → Triaged
importance: Undecided → High
assignee: nobody → Roger Peppe (rogpeppe)
milestone: none → 1.25.10
status: Triaged → In Progress
Paul Gear (paulgear)
tags: added: canonical-is
Revision history for this message
Anastasia (anastasia-macmood) wrote :

PR: https://github.com/juju/juju/pull/6775

Revision history for this message
Anastasia (anastasia-macmood) wrote :

PR against juju/utils: https://github.com/juju/utils/pull/257

Anastasia (anastasia-macmood)
Changed in juju-core:
importance: High → Critical
Nicholas Skaggs (nskaggs)
Changed in juju-core:
status: In Progress → Fix Committed
Curtis Hovey (sinzui)
Changed in juju-core:
status: Fix Committed → Fix Released
Revision history for this message
Nicholas Skaggs (nskaggs) wrote :

Junien, 1.25.10 is now in the proposed ppa. Would you be able to verify the release indeed fixes this issue for you (and doesn't introduce other issues)? Get if from here:

https://launchpad.net/~juju/+archive/ubuntu/1.25-proposed

Note, you must set the `agent-stream` option in environments.yaml to "proposed" to use this client.

Revision history for this message
Nicholas Skaggs (nskaggs) wrote :

Can we confirm this is indeed fixed?

Revision history for this message
Junien F (axino) wrote :

I confirm 1.25.10 fixes this bug.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.