Opened on 01/18/16 at 16:35:41
Last modified on 02/15/17 at 13:37:51
#2534 assigned infra
HTTPS and FTP fail from AWS instances to RTEMS server
Reported by: | Brandon Matthews | Owned by: | Needs Funding |
---|---|---|---|
Priority: | normal | Milestone: | Indefinite |
Component: | unspecified | Version: | 4.11 |
Severity: | major | Keywords: | aws amazon https ssl |
Cc: | Blocked By: | ||
Blocking: |
Description
I'm trying to use the source builder, and I'm having a very weird problem with the ftp.rtems.org server. I can perfectly repeatably fail to complete an SSL handshake from an AWS instance. It just ... hangs. I have no problems connecting to any other SSL service, and I only have problems from within AWS instances. It's not a TCP problem, as I can successfully get HTTP 302 responses when I try to request things via HTTP.
ubuntu@ip-172-31-33-20:~$ ip addr show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000
link/ether 06:18:db:39:9d:6b brd ff:ff:ff:ff:ff:ff
inet 172.31.33.20/20 brd 172.31.47.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::418:dbff:fe39:9d6b/64 scope link
valid_lft forever preferred_lft forever
ubuntu@ip-172-31-33-20:~$ nc -vz ftp.rtems.org 443
Connection to ftp.rtems.org 443 port [tcp/https] succeeded!
ubuntu@ip-172-31-33-20:~$ openssl s_client -host ftp.rtems.org -port 443
CONNECTED(00000003)
C
I've even gone so far as to explicitly permit all incoming TCP traffic. In fact, I have this problem whether I'm speaking HTTPS or FTP:
ubuntu@ip-172-31-33-20:~$ ftp ftp.rtems.org
Connected to ftp.rtems.org.
220-Welcome to the RTEMS Project main FTP!
220-
220-This site is available at:
220-
220- https://ftp.rtems.org/
220- ftp://ftp.rtems.org/ (TLS)
220- http://ftp.rtems.org/
220- ftp://ftp.rtems.org/
220-
220
Name (ftp.rtems.org:ubuntu): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd pub/rtems/releases/4.11/4.11.0-rc1/sources/
250 Directory successfully changed.
ftp> passive
Passive mode on.
ftp> ls
227 Entering Passive Mode (140,211,10,151,105,230).
150 Here comes the directory listing.
C
receive aborted
waiting for remote to finish abort
226 Directory send OK.
225 No transfer to ABOR.
ftp>
The traceroute:
ubuntu@ip-172-31-33-20:~$ traceroute ftp.rtems.org
traceroute to ftp.rtems.org (140.211.10.151), 30 hops max, 60 byte packets
1 ec2-50-112-0-84.us-west-2.compute.amazonaws.com (50.112.0.84) 1.342 ms ec2-50-112-0-86.us-west-2.compute.amazonaws.com (50.112.0.86) 1.331 ms 1.324 ms
2 100.64.1.187 (100.64.1.187) 1.546 ms 100.64.1.213 (100.64.1.213) 2.191 ms 100.64.1.163 (100.64.1.163) 1.313 ms
3 100.64.0.144 (100.64.0.144) 1.084 ms 100.64.0.32 (100.64.0.32) 1.288 ms 100.64.0.86 (100.64.0.86) 1.678 ms
4 100.64.16.15 (100.64.16.15) 0.686 ms 100.64.16.203 (100.64.16.203) 0.693 ms 100.64.16.111 (100.64.16.111) 0.683 ms
5 54.239.48.184 (54.239.48.184) 0.920 ms 54.239.48.178 (54.239.48.178) 1.429 ms 205.251.232.39 (205.251.232.39) 0.898 ms
6 205.251.232.160 (205.251.232.160) 1.530 ms 205.251.232.216 (205.251.232.216) 0.703 ms 0.686 ms
7 205.251.232.89 (205.251.232.89) 8.540 ms 54.239.41.190 (54.239.41.190) 6.895 ms 54.239.41.253 (54.239.41.253) 9.067 ms
8 52.95.52.162 (52.95.52.162) 11.237 ms 52.95.52.96 (52.95.52.96) 11.811 ms 205.251.232.75 (205.251.232.75) 8.442 ms
9 52.95.52.81 (52.95.52.81) 6.962 ms 52.95.52.219 (52.95.52.219) 8.703 ms 52.95.52.47 (52.95.52.47) 8.293 ms
10 xe-0-2-0.0.rtr.seat.net.internet2.edu (64.57.30.42) 8.338 ms 7.101 ms xe-0-2-1.0.rtr.seat.net.internet2.edu (64.57.30.44) 6.832 ms
11 198.32.165.32 (198.32.165.32) 11.151 ms 11.227 ms 52.95.52.47 (52.95.52.47) 7.441 ms
12 corv-car1-gw.nero.net (207.98.64.39) 12.739 ms 13.949 ms xe-0-2-0.0.rtr.seat.net.internet2.edu (64.57.30.42) 8.070 ms
13 ftp.rtems.org (140.211.10.151) 12.810 ms 14.079 ms 14.073 ms
ubuntu@ip-172-31-33-20:~$
Attachments (1)
Change History (5)
comment:1 Changed on 01/18/16 at 23:59:16 by Amar Takhar
comment:2 Changed on 01/19/16 at 00:07:18 by Brandon Matthews
Here's the curl call that was captured:
---
ubuntu@ip-172-31-16-108:~/tmp$ curl -vvvv -OL https://ftp.rtems.org/pub/rtems/releases/4.11/4.11.0-rc1/rtems-source-builder-4.11.0-rc1.tar.xz * Hostname was NOT found in DNS cache % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 140.211.10.151... * Connected to ftp.rtems.org (140.211.10.151) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): } [data not shown] 0 0 0 0 0 0 0 0 --:--:-- 0:00:31 --:--:-- 0^C
comment:3 Changed on 01/26/17 at 07:16:00 by Sebastian Huber
Milestone: | 4.11.1 → 4.11.2 |
---|
comment:4 Changed on 02/15/17 at 13:37:51 by Sebastian Huber
Milestone: | 4.11.2 → Indefinite |
---|---|
Owner: | set to Needs Funding |
Status: | new → assigned |
can you attach a tcpdump isolated to our ip?