[pca] Patch file not downloaded with "cipher or hash unavailable"
I'm using latest pca. Calling pca --user $USERNAME --passwd $PASSWORD --wgetopt="--no-check-certificate" -d -x $* gives ... Found /usr/sfw/bin/wget (1.12, 11200, https) ... Location: https://updates.oracle.com/all_unsigned/119963-33.zip [following] --2015-05-03 11:47:29-- https://updates.oracle.com/all_unsigned/119963-33.zip Connecting to updates.oracle.com|141.146.44.51|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://aru-akam-secure.oracle.com/adcarurepos/vol/patch22/PLATFORM/Solaris-32/R40110/119963-33.zip?FilePath=/adcarurepos/vol/patch22/PLATFORM/Solaris-32/R40110/119963-33.zip&File=119963-33.zip¶ms=am15VWxkbk91R1Q4RmpNZG5MVFdiQTphcnU9MTg4NzgwMDMmZW1haWw9ZnJhbmsubGFuZ2VsYWdlQG9zbmFuZXQuZGUmZmlsZV9pZD03OTQyNjM5MiZwYXRjaF9maWxlPTExOTk2My0zMy56aXAmdXNlcmlkPW8tZnJhbmsubGFuZ2VsYWdlQG9zbmFuZXQuZGUmc2l6ZT0xOTQxNzcyJmNvbnRleHQ9QUAxMCtIQGFhcnV2bXRwMDEub3JhY2xlLmNvbStQQCZkb3dubG9hZF9pZD0xNjU4Njg5MzA@&AuthParam=1430646569_1675a06858b228c7b3be46de11cdc964 [following] --2015-05-03 11:47:29-- https://aru-akam-secure.oracle.com/adcarurepos/vol/patch22/PLATFORM/Solaris-32/R40110/119963-33.zip?FilePath=/adcarurepos/vol/patch22/PLATFORM/Solaris-32/R40110/119963-33.zip&File=119963-33.zip¶ms=am15VWxkbk91R1Q4RmpNZG5MVFdiQTphcnU9MTg4NzgwMDMmZW1haWw9ZnJhbmsubGFuZ2VsYWdlQG9zbmFuZXQuZGUmZmlsZV9pZD03OTQyNjM5MiZwYXRjaF9maWxlPTExOTk2My0zMy56aXAmdXNlcmlkPW8tZnJhbmsubGFuZ2VsYWdlQG9zbmFuZXQuZGUmc2l6ZT0xOTQxNzcyJmNvbnRleHQ9QUAxMCtIQGFhcnV2bXRwMDEub3JhY2xlLmNvbStQQCZkb3dubG9hZF9pZD0xNjU4Njg5MzA@&AuthParam=1430646569_1675a06858b228c7b3be46de11cdc964 Resolving aru-akam-secure.oracle.com... 184.31.84.14 Connecting to aru-akam-secure.oracle.com|184.31.84.14|:443... connected. OpenSSL: error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable Unable to establish SSL connection.
Re: [pca] Patch file not downloaded with "cipher or hash unavailable"
Am 03.05.2015 um 11:53 schrieb Frank Langelage: Connecting to aru-akam-secure.oracle.com|184.31.84.14|:443... connected. OpenSSL: error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable Unable to establish SSL connection. Strange. Did patch downloads work on that system before? Did you update wget or pca or install patches recently? The error seems to suggest that certain ciphers are missing from the SSL library. If that's true, and nothing has changed on your system, it would mean that something must have changed on the server. Could other PCA users please test patch downloads and see if they get the same error? Martin.
Re: [pca] Patch file not downloaded with "cipher or hash unavailable"
I pulled patches on Sunday morning without incident. michaeldgale -Original Message- From: pca [mailto:pca-boun...@lists.univie.ac.at] On Behalf Of Martin Paul Sent: Monday, May 04, 2015 7:44 AM To: PCA (Patch Check Advanced) Discussion Subject: Re: [pca] Patch file not downloaded with "cipher or hash unavailable" Am 03.05.2015 um 11:53 schrieb Frank Langelage: > Connecting to aru-akam-secure.oracle.com|184.31.84.14|:443... connected. > OpenSSL: error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or > hash unavailable Unable to establish SSL connection. Strange. Did patch downloads work on that system before? Did you update wget or pca or install patches recently? The error seems to suggest that certain ciphers are missing from the SSL library. If that's true, and nothing has changed on your system, it would mean that something must have changed on the server. Could other PCA users please test patch downloads and see if they get the same error? Martin. smime.p7s Description: S/MIME cryptographic signature
Re: [pca] Patch file not downloaded with "cipher or hash unavailable"
Sure. I patched (1 installed) Saturday without issue and, per your request, have just pulled a couple of random patches without issue: NONAME Sun SPARC Enterprise T5120 64 GB RAM Serial #99975552 Host ID: 99915d80 SunOS Release 5.10 Version Generic 64-bit SPARC CSN: ZZZ0825QKF Oracle Solaris 10 8/11 s10s_u10wos_17b SPARC Copyright (c) 1983, 2014, Oracle and/or its affiliates. All rights reserved Assembled 23 August 2011 # pca --wget=/usr/sfw/bin/wget -d 148120 Using /var/tmp/patchdiag.xref from May/03/15 Host: noname (SunOS 5.10/Generic_Virtual/sparc/sun4v) List: 148120 (1/1172) Patch IR CR RSB Age Synopsis -- -- - -- --- --- --- 148120 -- < 02 --- 999 X11 6.6.2: xset patch Looking for 148120-02 (1/1) Trying Oracle Trying https://getupdates.oracle.com/ (1/1) Done -- Download Summary: 1 total, 1 successful, 0 skipped, 0 failed # /usr/sfw/bin/wget -V GNU Wget 1.12 built on solaris2.10. +digest +ipv6 -nls +ntlm +opie +md5/solaris +https -gnutls +openssl -iri Wgetrc: /etc/wgetrc (system) Compile: /ws/on10-tools/SUNWspro/SOS8/bin/cc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/etc/wgetrc" -DLOCALEDIR="/usr/sfw/share/locale" -I. -I../lib -I/usr/sfw/include -xO3 -xarch=v8 -xspace -W0,-Lt -W2,-Rcond_elim -Xa -xildoff -xc99 Link: /ws/on10-tools/SUNWspro/SOS8/bin/cc -xO3 -xarch=v8 -xspace -W0,-Lt -W2,-Rcond_elim -Xa -xildoff -xc99 /usr/sfw/lib/libssl.so /usr/sfw/lib/libcrypto.so -R/usr/sfw/lib -lmd5 -ldl -lsocket -lnsl -lrt ftp-opie.o openssl.o http-ntlm.o gen-md5.o ../lib/libgnu.a # pca --version pca 20150327-01 # Verbose: Looking for 148912-01 (1/1) Trying Oracle Trying https://getupdates.oracle.com/ (1/1) src: oracle, srcurl: Adding to /tmp/pca.986105: header=Authorization: Basic /usr/sfw/bin/wget --progress=dot:binary --ca-certificate=/usr/local/bin/pca --no-check-certificate --secure-protocol=TLSv1 -O /var/tmp/./148912-01.zip "https://getupdates.oracle.com/all_unsigned/148912-01.zip"; --2015-05-04 14:43:39-- https://getupdates.oracle.com/all_unsigned/148912-01.zip Resolving getupdates.oracle.com... 141.146.44.51 Connecting to updates.oracle.com|141.146.44.51|:443... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: https://updates.oracle.com/all_unsigned/148912-01.zip [following] --2015-05-04 14:43:44-- https://updates.oracle.com/all_unsigned/148912-01.zip Connecting to updates.oracle.com|141.146.44.51|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://aru-akam-secure.oracle.com/adcarurepos/vol/patch33/PLATFORM/Solaris-64/R40 110/148912-01.zip?FilePath=/adcarurepos/vol/patch33/PLATFORM/Solaris-64/R4 0110/148912-01.zip ... BTW, that's a branded zone on 11.2. How are you patching 2.10 zones? A bit dumb but timesaving, I'm just relying on -si missingrs and the failure of checks to stop me patching things that I can't or shouldn't. Kind regards, -Original Message- Date: Mon, 04 May 2015 13:44:02 +0200 From: Martin Paul To: "PCA (Patch Check Advanced) Discussion" Subject: Re: [pca] Patch file not downloaded with "cipher or hash unavailable" Am 03.05.2015 um 11:53 schrieb Frank Langelage: > Connecting to aru-akam-secure.oracle.com|184.31.84.14|:443... connected. > OpenSSL: error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash > unavailable > Unable to establish SSL connection. Strange. Did patch downloads work on that system before? Did you update wget or pca or install patches recently? The error seems to suggest that certain ciphers are missing from the SSL library. If that's true, and nothing has changed on your system, it would mean that something must have changed on the server. Could other PCA users please test patch downloads and see if they get the same error? Martin.
Re: [pca] Patch file not downloaded with "cipher or hash unavailable"
On 04.05.15 13:44, Martin Paul wrote: Am 03.05.2015 um 11:53 schrieb Frank Langelage: Connecting to aru-akam-secure.oracle.com|184.31.84.14|:443... connected. OpenSSL: error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable Unable to establish SSL connection. Strange. Did patch downloads work on that system before? Did you update wget or pca or install patches recently? The error seems to suggest that certain ciphers are missing from the SSL library. If that's true, and nothing has changed on your system, it would mean that something must have changed on the server. Could other PCA users please test patch downloads and see if they get the same error? Martin. Martin, last time patches were installed was April 14th. At that time pca / wget worked. Now patches / new packages since then. wget is 1.12 as of January 2015. But root@sb2000:/ ldd /usr/sfw/bin/wget libssl.so.0.9.7 => /usr/sfw/lib/libssl.so.0.9.7 libcrypto.so.0.9.7 =>/usr/sfw/lib/libcrypto.so.0.9.7 libmd5.so.1 => /lib/libmd5.so.1 libdl.so.1 =>/lib/libdl.so.1 libsocket.so.1 =>/lib/libsocket.so.1 libnsl.so.1 => /lib/libnsl.so.1 librt.so.1 =>/lib/librt.so.1 libc.so.1 => /lib/libc.so.1 libmp.so.2 =>/lib/libmp.so.2 libmd.so.1 =>/lib/libmd.so.1 libscf.so.1 => /lib/libscf.so.1 libaio.so.1 => /lib/libaio.so.1 libdoor.so.1 => /lib/libdoor.so.1 libuutil.so.1 => /lib/libuutil.so.1 libgen.so.1 => /lib/libgen.so.1 libcrypto_extra.so.0.9.7 => *(Datei nicht gefunden)* libm.so.2 => /lib/libm.so.2 /platform/SUNW,Sun-Blade-1000/lib/libc_psr.so.1 /platform/SUNW,Sun-Blade-1000/lib/libmd_psr.so.1 libcrypto_extra.so.0.9.7 is missing. SUNWopenssl-libraries was updated on Apr. 14th. root@sb2000:/ grep "SUNWopenssl-libraries" /var/sadm/install/contents | grep " f " /usr/sfw/lib/libcrypto.so.0.9.7 f none 0755 root bin 1478540 28194 1427846326 SUNWopenssl-libraries /usr/sfw/lib/libssl.so.0.9.7 f none 0755 root bin 1424792 61922 1427846326 SUNWopenssl-libraries /usr/sfw/lib/llib-lcrypto f none 0644 root bin 1282 46464 1186623729 SUNWopenssl-libraries /usr/sfw/lib/llib-lcrypto.ln f none 0644 root bin 313219 5907 1427805407 SUNWopenssl-libraries /usr/sfw/lib/llib-lssl f none 0644 root bin 293 23152 1106348616 SUNWopenssl-libraries /usr/sfw/lib/llib-lssl.ln f none 0644 root bin 280100 23230 1427805428 SUNWopenssl-libraries /usr/sfw/lib/sparcv9/libcrypto.so.0.9.7 f none 0755 root bin 1875672 8540 1427846326 SUNWopenssl-libraries /usr/sfw/lib/sparcv9/libssl.so.0.9.7 f none 0755 root bin 1500816 24526 1427846326 SUNWopenssl-libraries /usr/sfw/lib/sparcv9/llib-lcrypto.ln f none 0644 root bin 311958 50946 1427805415 SUNWopenssl-libraries /usr/sfw/lib/sparcv9/llib-lssl.ln f none 0644 root bin 278839 17372 1427805437 SUNWopenssl-libraries Relevant patch: 148071-17. According to the README, /usr/sfw/lib/libcrypto_extra.so.0.9.7 should be part of the patch. removed this patch, pca / wget is working again: Downloading xref file to /var/tmp/patchdiag.xref Trying Oracle Trying https://getupdates.oracle.com/ (1/1) Using /var/tmp/patchdiag.xref from May/03/15 Host: sb2000 (SunOS 5.10/Generic_150400-23/sparc/sun4u) List: missing (2/25) Patch IR CR RSB Age Synopsis -- -- - -- --- --- --- 119963 32 < 33 R-- 4 SunOS 5.10: Shared library patch for C++ Looking for 119963-33 (1/2) Trying Oracle Trying https://getupdates.oracle.com/ (1/1) Done -- 148071 16 < 17 RS- 21 SunOS 5.10: openssl patch Looking for 148071-17 (2/2) Trying Oracle Trying https://getupdates.oracle.com/ (1/1) Done -- Download Summary: 2 total, 2 successful, 0 skipped, 0 failed Now I'll switch to single user mode and apply these patches and see, if the problem reappears.
Re: [pca] Patch file not downloaded with "cipher or hash unavailable"
Relevant patch: 148071-17. According to the README, /usr/sfw/lib/libcrypto_extra.so.0.9.7 should be part of the patch. Now I'll switch to single user mode and apply these patches and see, if the problem reappears. Going back to 148071-16 the libraries /usr/sfw/lib/libcrypto_extra.so.0.9.7 and /usr/sfw/lib/libssl_extra.so.0.9.7 and their 64bit counterparts are still missing. They are only installed when package SUNWcry ist installed on the machine. On mine it's not installed. So there must be changes in the other files which get installed in my case which require the existence of SUNWcry and patches.
Re: [pca] Patch file not downloaded with "cipher or hash unavailable"
Hi > Am 04.05.2015 um 20:03 schrieb Frank Langelage : > > Going back to 148071-16 the libraries > /usr/sfw/lib/libcrypto_extra.so.0.9.7 > and > /usr/sfw/lib/libssl_extra.so.0.9.7 > and their 64bit counterparts are still missing. > > They are only installed when package SUNWcry ist installed on the machine. On > mine it's not installed. > So there must be changes in the other files which get installed in my case > which require the existence of SUNWcry and patches. Oh some old solaris install. Cry was added with update 4. see this note to see how to get it working more or less. https://blogs.oracle.com/patch/entry/do_not_apply_packages_from Greetings Jan
Re: [pca] Patch file not downloaded with "cipher or hash unavailable"
I had the same problem with one of my Solaris 10 systems. In April Oracle released an openSSL patch for Solaris 10 (148071-17). Apparently this patch caused a problem for applications which use certain crypto library calls in openSSL but only older installs of Solaris 10 were affected. There is a missing package (SUNWcry) even in fully patched Solaris 10 systems with an initial install of Update 3 and earlier. There is a note buried at the bottom of the readme file for this patch. I backed out the patch which reverted to the -16 version and pca downloads started working again. FYI: this also turned out to be the root cause of an issue I had been having with that same server communicating with Microsoft's SCOM. Dan West - Sr. System Administrator Computer Sciences Corporation Contractor to ORD - Ada, OK Voice: (580) 436-8717 e-mail: west.dan...@epa.gov ** Disclaimer: Text reflects my opinions, not CSC's nor the EPA's. ** From: pca on behalf of Gale, Michael D CTR USARMY PEO EIS (US) Sent: Monday, May 4, 2015 7:52 AM To: PCA (Patch Check Advanced) Discussion Subject: Re: [pca] Patch file not downloaded with "cipher orhash unavailable" I pulled patches on Sunday morning without incident. michaeldgale -Original Message- From: pca [mailto:pca-boun...@lists.univie.ac.at] On Behalf Of Martin Paul Sent: Monday, May 04, 2015 7:44 AM To: PCA (Patch Check Advanced) Discussion Subject: Re: [pca] Patch file not downloaded with "cipher or hash unavailable" Am 03.05.2015 um 11:53 schrieb Frank Langelage: > Connecting to aru-akam-secure.oracle.com|184.31.84.14|:443... connected. > OpenSSL: error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or > hash unavailable Unable to establish SSL connection. Strange. Did patch downloads work on that system before? Did you update wget or pca or install patches recently? The error seems to suggest that certain ciphers are missing from the SSL library. If that's true, and nothing has changed on your system, it would mean that something must have changed on the server. Could other PCA users please test patch downloads and see if they get the same error? Martin.
