问题
在Centos6
上安装epel
时出错
$ curl -O https://mirrors.tuna.tsinghua.edu.cn/epel/6/x86_64/epel-release-6-8.noarch.rpm
$ rpm -ivh epel-release-*.rpm
$ yum clean all
$ yum repolist
Error: Cannot retrieve metalink for repository: epel. Please verify its path and try again
分析
很多说是修改/etc/yum.repos.d/epel.repo
,注释mirrorlist
,使用baseurl
[epel]
name=Extra Packages for Enterprise Linux 6 - $basearch
#baseurl=http://download.fedoraproject.org/pub/epel/6/$basearch
mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-6&arch=$basearch
那mirrorlist
的地址为什么不能用呢?测试一下
$ curl -v https://mirrors.fedoraproject.org
...
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* NSS error -12190
* Error in TLS handshake, trying SSLv3...
...
curl: (35) SSL connect error
看起来时SSL的问题,找一个已经安装了epel
源的系统测试一下
$ curl -v https://mirrors.fedoraproject.org
...
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
...
可以正常访问,在该机器上使用openssl s_client
测试一下
$ echo -n | openssl s_client -connect mirrors.fedoraproject.org:443
...
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 4180 bytes and written 373 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
...
看到使用的是TLSv1.2
和ECDHE-RSA-AES128-GCM-SHA256
再回到当前有问题的机器,测试一下
$ echo -n | openssl s_client -connect mirrors.fedoraproject.org:443
...
No client certificate CA names sent
---
SSL handshake has read 4180 bytes and written 435 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
...
没有返回Server Temp Key
,也就是说协商的时候客户端没有发送给客户端支持的协议或算法,在当前机器指定加密算法ECDHE_RSA_AES_128_GCM_SHA_256
测试以下
$ curl --ciphers ECDHE_RSA_AES_128_GCM_SHA_256 -v https://mirrors.fedoraproject.org
...
* Unknown cipher in list: ECDHE_RSA_AES_128_GCM_SHA_256
* NSS error -5978
...
curl: (59) Unknown cipher in list: ECDHE_RSA_AES_128_GCM_SHA_256
本地不支持ECDHE_RSA_AES_128_GCM_SHA_256
加密。对比一下版本信息,其他机器的curl
版本信息
$ curl --version
curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.11 libidn/1.18 libssh2/1.4.2
当前机器curl
版本信息
$ curl --version
curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
综合报错和版本信息来看,nss
版本比较低,对比一下nss
$ yum info nss
Installed Packages
Version : 3.36.0
Release : 9.el6_10
本机的版本信息(需要--disablerepo=epel
否则会报错)
$ yum --disablerepo=epel info nss
Installed Packages
Version : 3.15.1
Release : 15.el6
需要升级nss
$ yum --disablerepo=epel update nss
查看版本信息
$ yum --disablerepo=epel info nss
Installed Packages
Version : 3.44.0
Release : 7.el6_10
NSS
版本升级了,先测试一下
$ curl -v https://mirrors.fedoraproject.org
...
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
...
请求成功,再测试
$ curl --ciphers ECDHE_RSA_AES_128_GCM_SHA_256 -v https://mirrors.fedoraproject.org
...
* Unknown cipher in list: ECDHE_RSA_AES_128_GCM_SHA_256
* NSS error -5978
...
看起来指定ciphers
时使用的是curl
内部的nss
模块,升级curl
$ yum --disablerepo=epel update curl
$ curl --ciphers ECDHE_RSA_AES_128_GCM_SHA_256 -v https://mirrors.fedoraproject.org
现在请求正常了,再次验证epel
是否还有问题
$ yum repolist
repo id repo name
base CentOS-6 - Base
epel Extra Packages for Enterprise Linux 6 - x86_64
extras CentOS-6 - Extras
updates CentOS-6 - Updates
再次验证openssl
$ echo -n | openssl s_client -connect mirrors.fedoraproject.org:443
...
No client certificate CA names sent
---
SSL handshake has read 4180 bytes and written 435 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
...
说明openssl
还需要升级
$ yum update openssl
$ echo -n | openssl s_client -connect mirrors.fedoraproject.org:443
...
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 4180 bytes and written 373 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
一切正常。
解决方案
总的来说问题的根源是nss
版本过低不支持新的加密算法。如果仅仅是安装epel
,则只需要更新nss
模块即可
$ yum --disablerepo=epel update nss
但是考虑到curl
等依赖nss
的软件也会用到,所以还是升级一下相关软件,避免使用的时候出错
$ yum update curl openssl