Re: buildfarm server suddenly not talking to old SSL stacks? - Mailing list pgsql-www

On 07/17/2018 11:29 PM, Tom Lane wrote:
> Stefan Kaltenbrunner <stefan@kaltenbrunner.cc> writes:
>> On 07/17/2018 10:14 PM, Tom Lane wrote:
>>> So for some reason, perl's https support is trying to bind to the IPv6
>>> address of buildfarm.postgresql.org, even though no IPv6 support is
>>> configured at all on this machine.  I wonder how long that's been going
>>> on?  Has anything about the machine's DNS entries changed recently?
>>> (Also, "ssh buildfarm.postgresql.org" binds to IPv4 just fine.)
> 
>> I dont think there have been any recent changes on (DNS) v6 for
>> brentalia - afaiks in our internal revision control we have had v6 on
>> that box for at least 2 years now.
>> However could it be that whatever DNS resolver those boxes are using
>> just started to return AAAAs as well (the strsize in the strace output
>> is not large enough to see the actual response from the local resolver)
> 
> The nameserver is one I run locally, and the only change it's seen lately
> is RHEL6's occasional security updates.  I don't think that's where the
> issue came in.
> 
> The full nameserver interaction is
> 
> sendto(3,
"\x21\x86\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x09\x62\x75\x69\x6c\x64\x66\x61\x72\x6d\x0a\x70\x6f\x73\x74\x67\x72\x65\x73\x71\x6c\x03\x6f\x72\x67\x00\x00\x1c\x00\x01",
42,MSG_NOSIGNAL, NULL, 0) = 42
 
> 
> recvfrom(3,
"\x21\x86\x81\x80\x00\x01\x00\x01\x00\x00\x00\x00\x09\x62\x75\x69\x6c\x64\x66\x61\x72\x6d\x0a\x70\x6f\x73\x74\x67\x72\x65\x73\x71\x6c\x03\x6f\x72\x67\x00\x00\x1c\x00\x01\xc0\x0c\x00\x1c\x00\x01\x00\x00\x06\xc1\x00\x10\x20\x01\x48\x00\x15\x01\x00\x01\x00\x00\x00\x00\x00\x00\x02\x17",
1024,0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("127.0.0.1")}, [16]) = 70
 
> 
> I don't have anything handy like wireshark installed on this machine, but
> I see the hex for buildfarm's IPv6 address in that response, and *not*
> the hex for its IPv4 address.  Conversely, when I try the http: URL,
> I see a different query and only the IPv4 address in the response:
> 
> sendto(3,
"\xa8\x93\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x09\x62\x75\x69\x6c\x64\x66\x61\x72\x6d\x0a\x70\x6f\x73\x74\x67\x72\x65\x73\x71\x6c\x03\x6f\x72\x67\x00\x00\x01\x00\x01",
42,MSG_NOSIGNAL, NULL, 0) = 42
 
> 
> recvfrom(3,
"\xa8\x93\x81\x80\x00\x01\x00\x01\x00\x00\x00\x00\x09\x62\x75\x69\x6c\x64\x66\x61\x72\x6d\x0a\x70\x6f\x73\x74\x67\x72\x65\x73\x71\x6c\x03\x6f\x72\x67\x00\x00\x01\x00\x01\xc0\x0c\x00\x01\x00\x01\x00\x00\x01\xd5\x00\x04\xae\x8f\x23\xd9",
1024,0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("127.0.0.1")}, [16]) = 58
 
> 
> It looks like Perl is specifically asking for AAAA in preference to A
> records, but only for https:.  Weird.

not really weird I think - the buildfarm uses LWP and for SSL support it 
might use(iirc) either Crypt::SSLeay (older versions before unbundling 
of lwp::protocol:https) or IO::Socket:SSL which has this in its docs:

"Please be aware that with the IPv6 capable super classes, it will look 
first for the IPv6 address of a given hostname. If the resolver provides 
an IPv6 address, but the host cannot be reached by IPv6, there will be 
no automatic fallback to IPv4. To avoid these problems you can enforce 
IPv4 for a specific socket by using the Domain or Family option with the 
value AF_INET as described in IO::Socket::IP. Alternatively you can 
enforce IPv4 globally by loading IO::Socket::SSL with the option 
'inet4', in which case it will use the IPv4 only class IO::Socket::INET 
as the super class."

So maybe removing the IO::Socket::INET6 superclass/package from the 
system will get it working (or hacking the buildfarm script).



Stefan