Ubuntu
ubuntu-advantage-tools package

Bug #1999909
Comment #8

Comment 8 for bug 1999909

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2023-01-03:

Hi,
we'd like to gather some more info to properly prioritize this.
As far as it is analyzed by the team behind the pro tool - and gladly Hua Zhang came to the same conclusion in comment #5 - it is due to the python libs that do not support tls over tls-proxy.

From the experiments that we have done, we might be able to use urllib3 (and there is even some different between the package and pypi) instead of urllib, but even that only has that support back to Bionic. For Xenial (these tools are meant to work the same everywhere) there needs to be a different solution.
But then, we don't know all about the setup used - so mileage might vary.
AFAIU Hua Zhang he found none of the libs working for his setup.

Given that the solution seems messy and that there is a workaround provided we'd like to ask the if the workaround provided using an http proxy for https work for you?
If not, why not?
You said this is happening on a proxy where TLS terminated. So if you are terminating it there anyway at least some possible arguments against using http to connect to the proxy should be non-critical as well.

To re-state, for the example reported in the bug, that workaround would use:
$ pro config set https_proxy=http://foo:<email address hidden>:443

And furthermore for testing, if you are using squid or something else in the Ubuntu Archive.
Would someone mind summarizing the configuration so this case can be reproduced outside of your environment?

Especially in terms of terminology I'd ask everyone to refer to a case described in [1] and use the terms used there. Use it for what you currently use as well as for what you want to achieve.
Only then we all really talk about the same thing.

Only then we can properly decide if:
1. That is an edge/unwanted use case or something very common and reasonable
2. Properly test whatever solution we ever come up with

Until then this can only be a whishlist item.

P.S. @Hua Zhang
1. I've heard that you had some success with curl [2] and derived from that pycurl.
I've checked and pycurl is in main at least. But again - considering back to xenial only at 7.43.0-1ubuntu1 - and being a wrapper around libcurl that also has isn't recent enough as curl itself is at 7.47.0-1ubuntu2 but it needs 7.52.
2. You have tested this, so do you happen to know what kind exactly the proxy is set up and maybe how it could be reproduced with in-archive components? If so we'd be happy if you could summarize that here.

[1]: https://wiki.squid-cache.org/Features/HTTPS.html
[2]: https://curl.se/libcurl/c/CURLOPT_PROXY.html

To re-state, for the example reported in the bug, that workaround would use:
  $ pro config set https_proxy=http://foo:bar@baz.net:443

Only then we can properly decide if:
1. That is an edge/unwanted use case or something very common and reasonable
2. Properly test whatever solution we ever come up with

Until then this can only be a whishlist item.

P.S. @Hua Zhang
1. I've heard that you had some success with curl [2] and derived from that pycurl.
I've checked and pycurl is in main at least. But again - considering back to xenial only at 7.43.0-1ubuntu1 - and being a wrapper around libcurl that also has isn't recent enough as curl itself is at 7.47.0-1ubuntu2 but it needs 7.52. 
2. You have tested this, so do you happen to know what kind exactly the proxy is set up and maybe how it could be reproduced with in-archive components? If so we'd be happy if you could summarize that here.

[1]: https://wiki.squid-cache.org/Features/HTTPS.html
[2]: https://curl.se/libcurl/c/CURLOPT_PROXY.html

Ubuntuubuntu-advantage-tools package

Comment 8 for bug 1999909

Ubuntu
ubuntu-advantage-tools package