[Csync2] SSL Handshake Problem

Tim Serong tserong at suse.com
Mon Feb 27 16:02:43 CET 2012


On 02/28/2012 01:13 AM, Lars Ellenberg wrote:
> On Mon, Feb 27, 2012 at 10:40:33PM +1100, Tim Serong wrote:
>> On 02/24/2012 08:56 PM, Lars Ellenberg wrote:
>>> On Fri, Feb 24, 2012 at 08:06:38AM +0000, Tobias Meyer wrote:
>>>> Hello List,
>>>>
>>>> I found this thread on the archive:
>>>>
>>>>> On 01/13/2012 04:16 AM, Mike Young wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I am trying to configure csync2 on a couple of OpenSuse 12.1 nodes, but
>>>>>> I'm having a problem with respect to TLS handshaking. I've added an
>>>>>> entry to /etc/services as was required in the Csync paper (csync2
>>>>>> 30865/tcp # Csync2 service) and I've configured xinetd to enable the
>>>>>> service. The service appears to start without any issues, until I
>>>>>> actually perform a "csync2 ­xv" operation. Then I get the following
>>>>>> error:
>>>>>>
>>>>>>      node1:/etc/csync2 # csync2 -xv
>>>>>>      Connecting to host node2 (SSL) ...
>>>>>>      WARNING: no socket to connect to
>>>>>>      Received record packet of unknown type 87
>>>>>>      SSL: handshake failed: An unexpected TLS packet was received.
>>>>>>      (GNUTLS_E_UNEXPECTED_PACKET)
>>>>
>>>> I too see this problem after upgrading from openSuse 11.3 (via 11.4) to 12.1.
>>>>
>>>> <snip>
>>>>
>>>> What puzzels me is, that running csync2 in stand-alone server mode (-ii or -iii) works well - the problem only occurs when beeing run through xinetd.
>>>> I really would like to limit csync2 to one interface though and have not yet found a way to do so in stand-alone mode.
>>>>
>>>> Can anyone shed some light on this?
>>>
>>> Csync2 not working in "xinetd" mode should be fixed by
>>> http://git.linbit.com/csync2.git
>>> specifically
>>> http://git.linbit.com/gitweb.cgi?p=csync2.git;a=commitdiff;h=e412200979d14c3fcbb233434905f0536943a306
>>>
>>> If not, let me know.
>>>
>>
>> That patch is only good for csync2 2.x, whereas openSUSE is shipping
>> csync2 1.34 (which spits less debug stuff out anyway, AFAICT).
>>
>> Anyway, I've reproduced the problem on two openSUSE 12.1 VMs.  And I
>> think I've fixed it, by (...drumroll...) uninstalling gnome-keyring
>> on both systems.  Does this make *any* sense to anybody here?
>
> WTF?
>
> And how did you come up with that?
> Personal dislike of gnome-keyring? ;)

Not as such :)

I got it into my head to google for "gnutls WARNING: no socket to 
connect to" (I didn't recall seeing that error before), which led me to 
https://bbs.archlinux.org/viewtopic.php?pid=999417 then 
https://bugs.archlinux.org/task/26271 ("Annoying warning in programs 
using gnutls when gnome-keyring is installed") then 
https://bugzilla.gnome.org/show_bug.cgi?id=665961 ("gnome-keyring: no 
socket to connect to").

Long story short, whatever the hell is going on, it's apparently been 
fixed upstream in gnome-keyring as of 2011-12-19.  My guess would be 
"WARNING: no socket to connect to" on STDERR(?) is confusing the 
handshake, but I haven't actually proved that.

Cheers,

Tim
-- 
Tim Serong
Senior Clustering Engineer
SUSE
tserong at suse.com


More information about the Csync2 mailing list