log sending broke between 1.25.6 and 1.25.9 on trusty
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
juju-core |
Fix Released
|
Critical
|
Roger Peppe |
Bug Description
Hi,
It would appear that juju log forwarding on 1.25.9 is broken on Trusty. The following lines appear in syslog on machine 0 :
rsyslogd-2083: gnutls returned error on handshake: Could not negotiate a supported cipher suite.
I think the root cause is that the agents are able to use only a handful of ciphers https:/
This appears to be the case since https:/
On trusty, I have the following packages :
$ dpkg -l|grep gnutls
ii gnutls-bin 3.0.11+
ii libcurl3-
ii libgnutls-
ii libgnutls26:amd64 2.12.23-12ubuntu2.5 amd64 GNU TLS library - runtime library
ii rsyslog-gnutls 7.4.4-1ubuntu2.6 amd64 TLS protocol support for rsyslog
and apparently, the following ciphers :
$ gnutls-cli --list
Cipher suites:
TLS_ANON_
TLS_ANON_
TLS_ANON_
TLS_ANON_
TLS_ANON_
TLS_ANON_
TLS_ANON_
TLS_ANON_
TLS_PSK_
TLS_PSK_
TLS_PSK_
TLS_PSK_
TLS_DHE_
TLS_DHE_
TLS_DHE_
TLS_DHE_
TLS_SRP_
TLS_SRP_
TLS_SRP_
TLS_SRP_
TLS_SRP_
TLS_SRP_
TLS_SRP_
TLS_SRP_
TLS_SRP_
TLS_DHE_
TLS_DHE_
TLS_DHE_
TLS_DHE_
TLS_DHE_
TLS_DHE_
TLS_DHE_
TLS_DHE_
TLS_DHE_
TLS_DHE_
TLS_DHE_
TLS_DHE_
TLS_DHE_
TLS_DHE_
TLS_DHE_
TLS_RSA_NULL_MD5 0x00, 0x01 SSL3.0
TLS_RSA_NULL_SHA1 0x00, 0x02 SSL3.0
TLS_RSA_NULL_SHA256 0x00, 0x3b TLS1.2
TLS_RSA_
TLS_RSA_
TLS_RSA_ARCFOUR_MD5 0x00, 0x04 SSL3.0
TLS_RSA_
TLS_RSA_
TLS_RSA_
TLS_RSA_
TLS_RSA_
TLS_RSA_
TLS_RSA_
Certificate types: CTYPE-X.509, CTYPE-OPENPGP
Protocols: VERS-SSL3.0, VERS-TLS1.0, VERS-TLS1.1, VERS-TLS1.2
Ciphers: AES-256-CBC, AES-128-CBC, 3DES-CBC, DES-CBC, ARCFOUR-128, ARCFOUR-40, RC2-40, CAMELLIA-256-CBC, CAMELLIA-128-CBC, NULL
MACs: SHA1, MD5, SHA256, SHA384, SHA512, MD2, RIPEMD160, MAC-NULL
Key exchange algorithms: ANON-DH, RSA, RSA-EXPORT, DHE-RSA, DHE-DSS, SRP-DSS, SRP-RSA, SRP, PSK, DHE-PSK
Compression: COMP-DEFLATE, COMP-NULL
Public Key Systems: RSA, DSA
PK-signatures: SIGN-RSA-SHA1, SIGN-RSA-SHA224, SIGN-RSA-SHA256, SIGN-RSA-SHA384, SIGN-RSA-SHA512, SIGN-RSA-RMD160, SIGN-DSA-SHA1, SIGN-DSA-SHA224, SIGN-DSA-SHA256, SIGN-RSA-MD5, SIGN-RSA-MD2
None of these ciphers match what's in tls.go (no ECDHE).
Hence, log forwarding doesn't work. Could this be fixed ?
Thanks
summary: |
- log forwarding broke between 1.25.6and 1.25.9 on trusty + log forwarding broke between 1.25.6 and 1.25.9 on trusty |
summary: |
- log forwarding broke between 1.25.6 and 1.25.9 on trusty + log sending broke between 1.25.6 and 1.25.9 on trusty |
Changed in juju-core: | |
status: | New → Triaged |
importance: | Undecided → High |
assignee: | nobody → Roger Peppe (rogpeppe) |
milestone: | none → 1.25.10 |
status: | Triaged → In Progress |
tags: | added: canonical-is |
Changed in juju-core: | |
importance: | High → Critical |
Changed in juju-core: | |
status: | In Progress → Fix Committed |
Changed in juju-core: | |
status: | Fix Committed → Fix Released |
PR: https:/ /github. com/juju/ juju/pull/ 6775