SSH port forwarding

1,233 views
Skip to first unread message

Jaroslav Klaus

unread,
Mar 28, 2011, 12:19:28 PM3/28/11
to Puppet Users
Hi,

I'm trying to run puppet through SSH channel using port forwarding (ssh master -R 8140:127.0.0.1:8140 -L 8139:127.0.0.1:8139). But for some unknown reason TCP connection is terminated and puppet agent finishes with message

"err: Could not request certificate: SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A"

Not always but in ~98% cases. When I "simulate" the tunnel using pair of redir(1) without SSH it's always without an issue. I've never had an issue with SSH port forwarding and this time it's specific for puppet only. Other protocols like HTTPS, IMAPS work fine using port forwarding. Master is FreeBSD and I've tried also OSX (without any difference), agent is Linux 2.6.32.

BTW I thought puppet protocol is HTTPS but if I connect to master port 8140 using 'telnet localhost 8140' (locally) the connection is immediately terminated. Maybe it's related to my problem with SSH port forwarding.

Do you have any experience with such behavior? Any idea what's the reason? Thanks a lot.

Jaroslav

Jaroslav Klaus

unread,
Mar 28, 2011, 2:34:30 PM3/28/11
to Puppet Users


On Mar 28, 6:19 pm, Jaroslav Klaus <jaroslav.kl...@gmail.com> wrote:
> Hi,
>
> I'm trying to run puppet through SSH channel using port forwarding (ssh master -R 8140:127.0.0.1:8140 -L 8139:127.0.0.1:8139).

Sorry, it should be ssh to server with agent not master of course.

Jaroslav

Patrick

unread,
Mar 28, 2011, 5:52:06 PM3/28/11
to puppet...@googlegroups.com
I don't quite understand what you're doing. As a random guess, could you have a race condition where the tunnel doesn't finish being created before puppet tries to connect?

> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
>

Thomas Bellman

unread,
Mar 29, 2011, 8:08:21 AM3/29/11
to puppet...@googlegroups.com
Jaroslav Klaus wrote:

Actually, it is not not *immediately* terminated, just quickly.
The Puppet master has a very short timeout, 0.1 seconds, set for
performing the TLS handshake. If you don't manage that within
that one tenth of a second, you will be disconnected. And of
course, performing a TLS handshake manually using telnet isn't
something most people can do even if they have hours to do it...

Try instead 'openssl s_client -connect localhost:8140', which
does all the TLS stuff for you.

A guess, but it's nothing more than that, is that you run afoul
of the 0.1 seconds timeout when you connect via an SSH tunnel.


/Bellman

Jaroslav Klaus

unread,
Mar 29, 2011, 10:37:52 AM3/29/11
to puppet...@googlegroups.com

On 29.3.2011, at 14:08, Thomas Bellman wrote:

> A guess, but it's nothing more than that, is that you run afoul
> of the 0.1 seconds timeout when you connect via an SSH tunnel.

Yes. That was the issue. I increased this timeout a bit and it's OK now. Thx.

Jaroslav

Reply all
Reply to author
Forward
0 new messages