Opened on 01/18/16 at 16:35:41

Last modified on 02/15/17 at 13:37:51

#2534 assigned infra

HTTPS and FTP fail from AWS instances to RTEMS server

Reported by: Brandon Matthews Owned by: Needs Funding
Priority: normal Milestone: Indefinite
Component: unspecified Version: 4.11
Severity: major Keywords: aws amazon https ssl
Cc: Blocked By:
Blocking:

Description

I'm trying to use the source builder, and I'm having a very weird problem with the ftp.rtems.org server. I can perfectly repeatably fail to complete an SSL handshake from an AWS instance. It just ... hangs. I have no problems connecting to any other SSL service, and I only have problems from within AWS instances. It's not a TCP problem, as I can successfully get HTTP 302 responses when I try to request things via HTTP.

ubuntu@ip-172-31-33-20:~$ ip addr show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000

link/ether 06:18:db:39:9d:6b brd ff:ff:ff:ff:ff:ff
inet 172.31.33.20/20 brd 172.31.47.255 scope global eth0

valid_lft forever preferred_lft forever

inet6 fe80::418:dbff:fe39:9d6b/64 scope link

valid_lft forever preferred_lft forever

ubuntu@ip-172-31-33-20:~$ nc -vz ftp.rtems.org 443
Connection to ftp.rtems.org 443 port [tcp/https] succeeded!

ubuntu@ip-172-31-33-20:~$ openssl s_client -host ftp.rtems.org -port 443
CONNECTED(00000003)
C

I've even gone so far as to explicitly permit all incoming TCP traffic. In fact, I have this problem whether I'm speaking HTTPS or FTP:

ubuntu@ip-172-31-33-20:~$ ftp ftp.rtems.org
Connected to ftp.rtems.org.
220-Welcome to the RTEMS Project main FTP!
220-
220-This site is available at:
220-
220- https://ftp.rtems.org/
220- ftp://ftp.rtems.org/ (TLS)
220- http://ftp.rtems.org/
220- ftp://ftp.rtems.org/
220-
220
Name (ftp.rtems.org:ubuntu): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd pub/rtems/releases/4.11/4.11.0-rc1/sources/
250 Directory successfully changed.
ftp> passive
Passive mode on.
ftp> ls
227 Entering Passive Mode (140,211,10,151,105,230).
150 Here comes the directory listing.
C
receive aborted
waiting for remote to finish abort
226 Directory send OK.
225 No transfer to ABOR.
ftp>

The traceroute:

ubuntu@ip-172-31-33-20:~$ traceroute ftp.rtems.org
traceroute to ftp.rtems.org (140.211.10.151), 30 hops max, 60 byte packets
1 ec2-50-112-0-84.us-west-2.compute.amazonaws.com (50.112.0.84) 1.342 ms ec2-50-112-0-86.us-west-2.compute.amazonaws.com (50.112.0.86) 1.331 ms 1.324 ms
2 100.64.1.187 (100.64.1.187) 1.546 ms 100.64.1.213 (100.64.1.213) 2.191 ms 100.64.1.163 (100.64.1.163) 1.313 ms
3 100.64.0.144 (100.64.0.144) 1.084 ms 100.64.0.32 (100.64.0.32) 1.288 ms 100.64.0.86 (100.64.0.86) 1.678 ms
4 100.64.16.15 (100.64.16.15) 0.686 ms 100.64.16.203 (100.64.16.203) 0.693 ms 100.64.16.111 (100.64.16.111) 0.683 ms
5 54.239.48.184 (54.239.48.184) 0.920 ms 54.239.48.178 (54.239.48.178) 1.429 ms 205.251.232.39 (205.251.232.39) 0.898 ms
6 205.251.232.160 (205.251.232.160) 1.530 ms 205.251.232.216 (205.251.232.216) 0.703 ms 0.686 ms
7 205.251.232.89 (205.251.232.89) 8.540 ms 54.239.41.190 (54.239.41.190) 6.895 ms 54.239.41.253 (54.239.41.253) 9.067 ms
8 52.95.52.162 (52.95.52.162) 11.237 ms 52.95.52.96 (52.95.52.96) 11.811 ms 205.251.232.75 (205.251.232.75) 8.442 ms
9 52.95.52.81 (52.95.52.81) 6.962 ms 52.95.52.219 (52.95.52.219) 8.703 ms 52.95.52.47 (52.95.52.47) 8.293 ms
10 xe-0-2-0.0.rtr.seat.net.internet2.edu (64.57.30.42) 8.338 ms 7.101 ms xe-0-2-1.0.rtr.seat.net.internet2.edu (64.57.30.44) 6.832 ms
11 198.32.165.32 (198.32.165.32) 11.151 ms 11.227 ms 52.95.52.47 (52.95.52.47) 7.441 ms
12 corv-car1-gw.nero.net (207.98.64.39) 12.739 ms 13.949 ms xe-0-2-0.0.rtr.seat.net.internet2.edu (64.57.30.42) 8.070 ms
13 ftp.rtems.org (140.211.10.151) 12.810 ms 14.079 ms 14.073 ms
ubuntu@ip-172-31-33-20:~$

Attachments (1)

dump.bin (1.3 KB) - added by Brandon Matthews on 01/19/16 at 00:06:27.
tcpdump of cxn

Download all attachments as: .zip

Change History (5)

comment:1 Changed on 01/18/16 at 23:59:16 by Amar Takhar

can you attach a tcpdump isolated to our ip?

tcpdump -n -w dump.bin -i <interface> dst host 140.211.10.151 or src host 140.211.10.151

Version 0, edited on 01/18/16 at 23:59:16 by Amar Takhar (next)

Changed on 01/19/16 at 00:06:27 by Brandon Matthews

Attachment: dump.bin added

tcpdump of cxn

comment:2 Changed on 01/19/16 at 00:07:18 by Brandon Matthews

Here's the curl call that was captured:
---

ubuntu@ip-172-31-16-108:~/tmp$ curl -vvvv -OL https://ftp.rtems.org/pub/rtems/releases/4.11/4.11.0-rc1/rtems-source-builder-4.11.0-rc1.tar.xz
* Hostname was NOT found in DNS cache
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 140.211.10.151...
* Connected to ftp.rtems.org (140.211.10.151) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
} [data not shown]
  0     0    0     0    0     0      0      0 --:--:--  0:00:31 --:--:--     0^C
Last edited on 01/19/16 at 00:07:32 by Brandon Matthews (previous) (diff)

comment:3 Changed on 01/26/17 at 07:16:00 by Sebastian Huber

Milestone: 4.11.14.11.2

comment:4 Changed on 02/15/17 at 13:37:51 by Sebastian Huber

Milestone: 4.11.2Indefinite
Owner: set to Needs Funding
Status: newassigned
Note: See TracTickets for help on using tickets.