XO's cannot use mirror repo's in YUM update or install

James Cameron quozl at laptop.org
Sun Nov 10 17:50:10 EST 2019 

Thanks for the problem report and workaround.

The cause is an SSLv3 Handshake Failure, apparently a result of
tightened security configuration at fedoraproject.org which is no
longer compatible with Fedora 18.

Unfortunately yum does not report the actual problem.

Here's how to catch proof;

1.  use tcpdump to capture network packets and then wireshark to
analyse,

2.  look for the "Alert (Level: Fatal, Description: Handshake
Failure)",

3.  look for the immediately preceeding SSLv3 Client Hello message,

4.  note the Cipher Suites list contains some that are no longer
acceptable.

Your workaround is fine.  It is similar to the one I used for XO-1.75
and XO-4 in 13.2.8;
https://github.com/quozl/olpc-os-builder/commit/f2cb3908aff0cc7bc3ba7937a93b0337140dd81e

Another workaround is to change from https to http in the mirrorlist
entries.

sudo sed -i 's/mirrorlist=https/mirrorlist=http/g' /etc/yum.repos.d/*.repo

However, while this is faster, it also lowers the overall security
because it makes a man in the middle attack easier.

Best way to image a set of laptops with rpmfusion packages is to build
an image using olpc-os-builder.  I've got notes on how to do that.

On Sun, Nov 10, 2019 at 03:15:55PM -0500, Carrol Riddle wrote:
> Have been able to Yum install exfat files on my XO-1, but everywhere had to block mirrorline and use baseurl. 
> 
> Still do not know why mirrors do not work.
> 
> The baseurl for fedora.repo is http://dl.fedoraproject.org/pub/archive/fedora/linux/$releasever/Everything/$basearch/os/
> 
> The baseurl for rpmfusion is http://archive.rpmfusion.org/free-archive/fedora/releases/$releasever/Everything/$basearch/os/
> 
> dl, download and archive all seem to work as first term in fedora path.
> 
> Modified the *-update.repo files similarly (but not same).
> 
> I had been using http://wiki.laptop.org/go/Gstreamer  method of installing rpmfusion,
> but simpler and newer is:
> wget -c download1.rpmfusion.org/free/fedora/rpmfusion-free-release-18.noarch.rpm
> and rpm  -i rpmfusion-free-release-18.noarch.rpm
> 
> Removed extraneous rpmfusion  repos from /etc/yum.repos.d/
> 
> This effort was to allow installing Internet-in-a-Box on a larger SD for Raspberry Pi Zero W using only XO and the Zero.
> Two external ports are needed and had previously used Pi 4 to prepare SD.
> The single USB port on Zero is used for the connection to an XO using X11Forwarding for display, keyboard and shared WiFi (secondary to Zero W on-board WiFi or as primary for simple Zero).
> 
> Still looking for cause of YUM Mirrors failure.
> 
> Carrol Riddle
> 
> 
> > On November 10, 2019 at 9:57 AM Peter Robinson <pbrobinson at gmail.com> wrote:
> > 
> > 
> > On Sun, Nov 10, 2019 at 5:29 AM Carrol Riddle <ebox382 at scishare.com> wrote:
> > >
> > > XO's attempting to run YUM update or install are unable to use fedora mirror sites (https://) but able to use primary fedora site (http://).
> > >
> > > Is this a matter of https vs http / ca-certificates or changes in mirror structures ?  Ca-certificates update have not been done, but could be done.
> > >
> > >  Running OLPC 13.2.10 with current date / time and hwclock -w to sync.
> > >
> > > Primaries used by editing /etc/yum.repos.d/fedora.repo and commenting out mirrorlist line and uncommenting baseurl line (and adding "archive" to url path after /pub/).
> > >
> > > There are no entries in yum.log and error message is:
> > > "Cannot retrieve metalink for repository: fedora/18/i386.  Please verify its path and try again."
> > >
> > > My specific case is trying to install rpmfusion in preparing to install exfat-utils and fuse-exfat ,  but occurs with other installs that have been done in the past.
> > 
> > I'm guessing you might need to update for content that has been
> > archived, I thought the mirror manager dealt with redirects
> > automatically there but I don't know exactly.
> _______________________________________________
> Devel mailing list
> Devel at lists.laptop.org
> http://lists.laptop.org/listinfo/devel

-- 
James Cameron
http://quozl.netrek.org/

More information about the Devel mailing list