2022-12-16 16:56:01 |
David Torrey |
bug |
|
|
added bug |
2022-12-16 22:24:01 |
David Torrey |
description |
When attempting to set an https_proxy where the proxy URL itself uses HTTPS, such as an AWS global accelerator, the process times out. Judging from strace() output, the client does not attempt to negotiate TLS, and instead sends plaintext HTTP to the proxy, which ignores it until the process times out.
Reproduction:
$ pro config set https://user:pass@proxy.url:443/
* times out and fails
Expected result:
* Configures a working proxy for subsequent pro client commands
Notes:
* was only tested with an AWS GA instance
* a similar "curl -x {same-proxy-URI} {website}" works as expected.
* a similar "wget" with $ENV{https_proxy} set also times out.
* pro-client team has an example proxy URI with credentials that exhibits this behavior, but I'll try to come up with another reproducer for that end as well.
Versions:
ubuntu 22.04.1 LTS
ubuntu-advantage-tools 27.12~22.04.1
Thanks,
Dave
Canonical Support |
When attempting to set an https_proxy where the proxy URL itself uses HTTPS, the process times out. Judging from strace() output, the client does not attempt to negotiate TLS, and instead sends plaintext HTTP to the proxy, which ignores it until the process times out.
Reproduction:
$ pro config set https://user:pass@proxy.url:443/
* times out and fails
Expected result:
* Configures a working proxy for subsequent pro client commands
Notes:
* was so far tested and reproduced with a proxy where TLS terminated on a network load balancer.
* a similar "curl -x {same-proxy-URI} {website}" works as expected.
* a similar "wget" with $ENV{https_proxy} set also times out.
* pro-client team has an example proxy URI with credentials that exhibits this behavior, but I'll try to come up with another reproducer for that end as well.
Versions:
ubuntu 22.04.1 LTS
ubuntu-advantage-tools 27.12~22.04.1
Thanks,
Dave
Canonical Support |
|
2022-12-20 18:39:37 |
Launchpad Janitor |
ubuntu-advantage-tools (Ubuntu): status |
New |
Confirmed |
|
2022-12-27 09:40:57 |
Hua Zhang |
bug watch added |
|
http://bugs.python.org/issue29610 |
|
2022-12-27 09:45:39 |
Hua Zhang |
bug |
|
|
added subscriber Hua Zhang |
2023-01-03 09:22:03 |
Christian Ehrhardt |
ubuntu-advantage-tools (Ubuntu): status |
Confirmed |
Incomplete |
|
2023-01-03 14:34:43 |
Christian Ehrhardt |
description |
When attempting to set an https_proxy where the proxy URL itself uses HTTPS, the process times out. Judging from strace() output, the client does not attempt to negotiate TLS, and instead sends plaintext HTTP to the proxy, which ignores it until the process times out.
Reproduction:
$ pro config set https://user:pass@proxy.url:443/
* times out and fails
Expected result:
* Configures a working proxy for subsequent pro client commands
Notes:
* was so far tested and reproduced with a proxy where TLS terminated on a network load balancer.
* a similar "curl -x {same-proxy-URI} {website}" works as expected.
* a similar "wget" with $ENV{https_proxy} set also times out.
* pro-client team has an example proxy URI with credentials that exhibits this behavior, but I'll try to come up with another reproducer for that end as well.
Versions:
ubuntu 22.04.1 LTS
ubuntu-advantage-tools 27.12~22.04.1
Thanks,
Dave
Canonical Support |
When attempting to set an https_proxy where the proxy URL itself uses HTTPS, the process times out. Judging from strace() output, the client does not attempt to negotiate TLS, and instead sends plaintext HTTP to the proxy, which ignores it until the process times out.
Reproduction:
root@foobar:~# pro config set http_proxy=https://foo:bar@baz.net:443
Setting snap proxy
root@foobar:~# pro config set https_proxy=https://foo:bar@baz.net:443
... this hangs forever either interrupted]
$ pro config set https://user:pass@proxy.url:443/
* times out and fails
Expected result:
* Configures a working proxy for subsequent pro client commands
Notes:
* was so far tested and reproduced with a proxy where TLS terminated on a network load balancer.
* a similar "curl -x {same-proxy-URI} {website}" works as expected.
* a similar "wget" with $ENV{https_proxy} set also times out.
* pro-client team has an example proxy URI with credentials that exhibits this behavior, but I'll try to come up with another reproducer for that end as well.
Versions:
ubuntu 22.04.1 LTS
ubuntu-advantage-tools 27.12~22.04.1
Thanks,
Dave
Canonical Support |
|
2023-01-03 14:35:05 |
Christian Ehrhardt |
ubuntu-advantage-tools (Ubuntu): status |
Incomplete |
Confirmed |
|
2023-01-03 15:08:56 |
Christian Ehrhardt |
ubuntu-advantage-tools (Ubuntu): status |
Confirmed |
Incomplete |
|
2023-01-03 15:09:00 |
Christian Ehrhardt |
ubuntu-advantage-tools (Ubuntu): status |
Incomplete |
Confirmed |
|
2023-01-03 15:09:02 |
Christian Ehrhardt |
ubuntu-advantage-tools (Ubuntu): importance |
Undecided |
Wishlist |
|
2023-01-05 18:25:05 |
John A. Fuqua |
bug watch added |
|
http://bugs.python.org/issue29394 |
|
2023-01-17 15:08:44 |
Dariusz Gadomski |
bug |
|
|
added subscriber Dariusz Gadomski |
2023-08-04 23:23:13 |
Launchpad Janitor |
ubuntu-advantage-tools (Ubuntu): status |
Confirmed |
Fix Released |
|
2023-08-24 15:42:58 |
Ubuntu Archive Robot |
bug |
|
|
added subscriber Sergio Durigan Junior |
2023-08-31 12:39:28 |
Robie Basak |
ubuntu-advantage-tools (Ubuntu Lunar): status |
New |
Fix Committed |
|
2023-08-31 12:39:29 |
Robie Basak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2023-08-31 12:39:30 |
Robie Basak |
bug |
|
|
added subscriber SRU Verification |
2023-08-31 12:39:34 |
Robie Basak |
tags |
|
verification-needed verification-needed-lunar |
|
2023-08-31 12:40:04 |
Robie Basak |
ubuntu-advantage-tools (Ubuntu Jammy): status |
New |
Fix Committed |
|
2023-08-31 12:40:07 |
Robie Basak |
tags |
verification-needed verification-needed-lunar |
verification-needed verification-needed-jammy verification-needed-lunar |
|
2023-08-31 12:41:48 |
Robie Basak |
ubuntu-advantage-tools (Ubuntu Focal): status |
New |
Fix Committed |
|
2023-08-31 12:41:51 |
Robie Basak |
tags |
verification-needed verification-needed-jammy verification-needed-lunar |
verification-needed verification-needed-focal verification-needed-jammy verification-needed-lunar |
|
2023-08-31 12:43:26 |
Robie Basak |
ubuntu-advantage-tools (Ubuntu Bionic): status |
New |
Fix Committed |
|
2023-08-31 12:43:28 |
Robie Basak |
tags |
verification-needed verification-needed-focal verification-needed-jammy verification-needed-lunar |
verification-needed verification-needed-bionic verification-needed-focal verification-needed-jammy verification-needed-lunar |
|
2023-08-31 12:44:17 |
Robie Basak |
ubuntu-advantage-tools (Ubuntu Xenial): status |
New |
Fix Committed |
|
2023-08-31 12:44:20 |
Robie Basak |
tags |
verification-needed verification-needed-bionic verification-needed-focal verification-needed-jammy verification-needed-lunar |
verification-needed verification-needed-bionic verification-needed-focal verification-needed-jammy verification-needed-lunar verification-needed-xenial |
|
2023-09-11 21:42:56 |
Ubuntu Archive Robot |
bug |
|
|
added subscriber Andreas Hasenack |
2023-09-14 18:09:24 |
Lucas Albuquerque Medeiros de Moura |
description |
When attempting to set an https_proxy where the proxy URL itself uses HTTPS, the process times out. Judging from strace() output, the client does not attempt to negotiate TLS, and instead sends plaintext HTTP to the proxy, which ignores it until the process times out.
Reproduction:
root@foobar:~# pro config set http_proxy=https://foo:bar@baz.net:443
Setting snap proxy
root@foobar:~# pro config set https_proxy=https://foo:bar@baz.net:443
... this hangs forever either interrupted]
$ pro config set https://user:pass@proxy.url:443/
* times out and fails
Expected result:
* Configures a working proxy for subsequent pro client commands
Notes:
* was so far tested and reproduced with a proxy where TLS terminated on a network load balancer.
* a similar "curl -x {same-proxy-URI} {website}" works as expected.
* a similar "wget" with $ENV{https_proxy} set also times out.
* pro-client team has an example proxy URI with credentials that exhibits this behavior, but I'll try to come up with another reproducer for that end as well.
Versions:
ubuntu 22.04.1 LTS
ubuntu-advantage-tools 27.12~22.04.1
Thanks,
Dave
Canonical Support |
[ Impact ]
User that use a TLS-in-TLS proxy are unable to properly use it in the Pro client since the network libraries we are using do not support that type of proxy configuration.
Therefore, users cannot properly attach and access many of the service the Pro client delivers.
[ Test Plan ]
We will verify that the Pro client now supports that type of proxy through an integration test that was created specifically for this issue. We will attach the test results of running this integration test here
[ Where problems could occur ]
We are using pycurl to add support for this type of proxy. We only make requests using this library if all of the following requirements are true:
- The target url scheme is https
- The target host is not in no_proxy
- An https_proxy is configured either via pro's config or via environment
- The https_proxy url scheme is https
Therefore, the only problems that can occur are that we either use pycurl for non TLS-in-TLS proxies or that we don't use it for valid TLS-in-TLS proxies. In the case where we use pycurl for non TLS-in-TLS proxies, it should not be a huge issue, as we expect pycurl to still handle the request appropriately. And we believe our checks are sufficient to avoid us not detecting a TLS-in-TLS proxy, so we consider this a minor risk
[ Original Description ]
When attempting to set an https_proxy where the proxy URL itself uses HTTPS, the process times out. Judging from strace() output, the client does not attempt to negotiate TLS, and instead sends plaintext HTTP to the proxy, which ignores it until the process times out.
Reproduction:
root@foobar:~# pro config set http_proxy=https://foo:bar@baz.net:443
Setting snap proxy
root@foobar:~# pro config set https_proxy=https://foo:bar@baz.net:443
... this hangs forever either interrupted]
$ pro config set https://user:pass@proxy.url:443/
* times out and fails
Expected result:
* Configures a working proxy for subsequent pro client commands
Notes:
* was so far tested and reproduced with a proxy where TLS terminated on a network load balancer.
* a similar "curl -x {same-proxy-URI} {website}" works as expected.
* a similar "wget" with $ENV{https_proxy} set also times out.
* pro-client team has an example proxy URI with credentials that exhibits this behavior, but I'll try to come up with another reproducer for that end as well.
Versions:
ubuntu 22.04.1 LTS
ubuntu-advantage-tools 27.12~22.04.1
Thanks,
Dave
Canonical Support |
|
2023-09-18 15:34:40 |
Lucas Albuquerque Medeiros de Moura |
attachment added |
|
release-29.4-test-results.tar.xz https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1999909/+attachment/5701822/+files/release-29.4-test-results.tar.xz |
|
2023-09-18 15:35:21 |
Lucas Albuquerque Medeiros de Moura |
tags |
verification-needed verification-needed-bionic verification-needed-focal verification-needed-jammy verification-needed-lunar verification-needed-xenial |
verification-done verification-done-bionic verification-done-focal verification-done-jammy verification-done-lunar verification-done-xenial |
|
2023-09-20 16:50:30 |
Robie Basak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2023-09-20 16:50:29 |
Launchpad Janitor |
ubuntu-advantage-tools (Ubuntu Lunar): status |
Fix Committed |
Fix Released |
|
2023-09-20 16:50:47 |
Launchpad Janitor |
ubuntu-advantage-tools (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|
2023-09-20 16:50:53 |
Launchpad Janitor |
ubuntu-advantage-tools (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
2023-09-20 16:50:57 |
Launchpad Janitor |
ubuntu-advantage-tools (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
2023-09-20 16:51:02 |
Launchpad Janitor |
ubuntu-advantage-tools (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|