Re: [pca] Issue with wget on RHEL6.5

2014-01-07 Thread Martin Paul 

Happy new year to everbody!


I'm running PCA as a proxy on a RHEL6 machine, Apparently, since early
December and an update to 6.5, it fails connecting to
getupdates.oracle.com (through a web proxy) with a message saying:
Unable to establish SSL connection.


Yeah, you had reported this problem already back in May 2013, and I had 
added the temporary fix for the CSW version of wget back then. The root 
cause was (and is) a problem with Oracle's web server:


  https://www.opencsw.org/mantis/view.php?id=5068

Oracle's web admin team planned to upgrade the web server to support 
clients with recent versions of OpenSSL, but it seems as if this never 
happened. They put a note into Support Document 1199543.1, which is 
still there:


  IMPORTANT:

  https://getupdates.oracle.com web server does not fully support TLS
  1.2. Only OpenSSL versions from branch 1.0.0 will work - Oracle
  Solaris does not deliver higher versions at this time.
  Customers who are trying to access the URL using latest wget/OpenSSL
  (ie. from www.opencsw.org) version with TLS 1.2 support may get
  connection failures.


I'd say, just always add the parameter. It works with /usr/sfw/bin/wget
(in a recently patched S10 at least) as well as with wget on RHEL = 5.


Did exactly that in the current development release of PCA now. It seems 
as if the --secure-protocol option is supported in all relevant versions 
of wget, so this should do no harm.


Thanks for the report!

Martin.

[pca] Issue with wget on RHEL6.5

2014-01-03 Thread Laurent Blume 

Hello all, and Happy New Year!

To start it properly - I've found a PCA issue. It's been a while since 
I've found one.


I'm running PCA as a proxy on a RHEL6 machine, Apparently, since early 
December and an update to 6.5, it fails connecting to 
getupdates.oracle.com (through a web proxy) with a message saying: 
Unable to establish SSL connection.


After comparing with a Solaris box where it was working, I noticed this 
parameter was present when running on Solaris, not on RHEL:

--secure-protocol=TLSv1

Adding it manually, it connects.

So this bit of the code should be modified to add the parameter in other 
cases than OpenCSW:


  if ((($url =~ /https:\/\/getupdates.oracle.com\//) || ($url =~ 
/https:\/\/support.oracle.com\//))  ($wget{path} =~ /csw/)) { $cmd .= 
 --secure-protocol=TLSv1 }


So, wget was *not* updated. It's still 1.12, the binary dated Oct 2012.
OpenSSL was updated, so it's probably coming from that.

I'd say, just always add the parameter. It works with /usr/sfw/bin/wget 
(in a recently patched S10 at least) as well as with wget on RHEL = 5.


Thanks,

Laurent