From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by yocto-www.yoctoproject.org (Postfix, from userid 118) id 40D72E00CC9; Thu, 7 Sep 2017 10:04:06 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on yocto-www.yoctoproject.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,HTML_MESSAGE, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 X-Spam-HAM-Report: * -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, * medium trust * [64.235.150.234 listed in list.dnswl.org] * -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * 0.0 HTML_MESSAGE BODY: HTML included in message Received: from 14pmail.ess.barracuda.com (14pmail.ess.barracuda.com [64.235.150.234]) by yocto-www.yoctoproject.org (Postfix) with ESMTP id 2812CE00CAE for ; Thu, 7 Sep 2017 10:04:04 -0700 (PDT) Received: from SFAMAIL.SAKURAUS.LOCAL (mail.sakuraus.com [12.26.104.5]) by mx28.ess.sfj.cudaops.com (version=TLSv1.2 cipher=AES256-SHA256 bits=256 verify=NO); Thu, 07 Sep 2017 17:03:57 +0000 Received: from SFAMAIL.SAKURAUS.LOCAL (10.16.3.8) by SFAMAIL.SAKURAUS.LOCAL (10.16.3.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.669.32; Thu, 7 Sep 2017 09:47:33 -0700 Received: from SFAMAIL.SAKURAUS.LOCAL ([::1]) by SFAMAIL.SAKURAUS.LOCAL ([::1]) with mapi id 15.01.0669.032; Thu, 7 Sep 2017 09:47:33 -0700 From: Greg Wilson-Lindberg To: Mark Hatle , Andre McCurdy Thread-Topic: [yocto] Working behind a Palo Alto firewall/proxy Thread-Index: AdMnV80YgGzHXD1LRPmTpkR9+dAmmwAXESyAABB8aWkADtanAP//iva1 Date: Thu, 7 Sep 2017 16:47:33 +0000 Message-ID: References: <70ce682e4c584761b8bb5fad63f7d737@sakuraus.com>, In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.16.4.242] MIME-Version: 1.0 X-BESS-ID: 1504803829-637138-429-281385-3 X-BESS-VER: 2017.10-r1707252126 X-BESS-Apparent-Source-IP: 12.26.104.5 X-BESS-Outbound-Spam-Score: 0.00 X-BESS-Outbound-Spam-Report: Code version 3.2, rules version 3.2.2.184778 Rule breakdown below pts rule name description ---- ---------------------- -------------------------------- 0.00 HTML_MESSAGE BODY: HTML included in message 0.00 BSF_BESS_OUTBOUND META: BESS Outbound 0.00 BSF_SC0_MISMATCH_TO META: Envelope rcpt doesn't match header X-BESS-Outbound-Spam-Status: SCORE=0.00 using account:ESS29408 scores of KILL_LEVEL=7.0 tests=HTML_MESSAGE, BSF_BESS_OUTBOUND, BSF_SC0_MISMATCH_TO X-BESS-BRTS-Status: 1 Cc: "yocto@yoctoproject.org" Subject: Re: Working behind a Palo Alto firewall/proxy X-BeenThere: yocto@yoctoproject.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: Discussion of all things Yocto Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Sep 2017 17:04:06 -0000 Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_d50c51bcc06f4aecbc9ac6851d9ee3bbsakurauscom_" --_000_d50c51bcc06f4aecbc9ac6851d9ee3bbsakurauscom_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Hi Mark, Unfortunately, in this case the certificate has already been added to the s= ystem, necessary to get https working. Greg ________________________________ From: Mark Hatle Sent: Thursday, September 7, 2017 9:31:02 AM To: Greg Wilson-Lindberg; Andre McCurdy Cc: yocto@yoctoproject.org Subject: Re: [yocto] Working behind a Palo Alto firewall/proxy I've had a customer with a similar problem. The way they resolved it was t= o download the certification from their proxy and add it to their system as a known certificate. Sorry I don't have any more details then that, but maybe that can spark som= eone who knows the actual steps to be able to comment. --Mark On 9/7/17 11:28 AM, Greg Wilson-Lindberg wrote: > Hi Andre, > > > Here is the complete error output: > > ERROR: qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch: Fetcher > failure: Fetch command export > DBUS_SESSION_BUS_ADDRESS=3D"unix:abstract=3D/tmp/dbus-9ReQWXYEk1"; export > SSH_AUTH_SOCK=3D"/run/user/1000/keyring-4PGABB/ssh"; export > PATH=3D"/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysr= oots/x86_64-linux/usr/bin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspb= errypi3/tmp/sysroots-uninative/x86_64-linux/usr/bin:/home/gwilson/Qt-5.9/Yo= cto-build-RPi3/sources/poky/scripts:/home/gwilson/Qt-5.9/Yocto-build-RPi3/b= uild-raspberrypi3/tmp/sysroots/x86_64-linux/usr/bin/arm-poky-linux-gnueabi:= /home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/raspb= errypi3/usr/bin/crossscripts:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-ra= spberrypi3/tmp/sysroots/x86_64-linux/usr/sbin:/home/gwilson/Qt-5.9/Yocto-bu= ild-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/usr/bin:/home/gwilson= /Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/sbin:= /home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_6= 4-linux/bin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/sources/poky/scripts:/hom= e/gwilson/Qt-5.9/Yocto-build-RPi3/sources/poky/bitbake/bin:/home/gwilson/TE= E:/home/gwilson/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin= :/bin:/usr/games:/usr/local/games:/opt/microchip/xc32/v1.34/bin:/home/gwils= on/RPi3/tools/arm-bcm2708/gcc-linaro-arm-linux-gnueabihf-raspbian-x64/bin"; > export HOME=3D"/home/gwilson"; LANG=3DC git -c core.fsyncobjectfiles=3D0 = clone --bare > --mirror http://codereview.qt-project.org/qt/qtdeviceutilities > /home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/../downloads/git= 2/codereview.qt-project.org.qt.qtdeviceutilities > --progress failed with exit code 128, output: > Cloning into bare repository > '/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/../downloads/gi= t2/codereview.qt-project.org.qt.qtdeviceutilities'... > fatal: unable to access > 'https://codereview.qt-project.org/qt/qtdeviceutilities/': server certifi= cate > verification failed. CAfile: > /usr/share/ca-certificates/cert_Decryption-Certificate.pem CRLfile: none > > ERROR: qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch: Fetcher > failure for URL: > 'git://codereview.qt-project.org/qt/qtdeviceutilities;nobranch=3D1;protoc= ol=3Dhttp'. > Unable to fetch URL from any source. > ERROR: qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch: Functio= n > failed: base_do_fetch > ERROR: Logfile of failure stored in: > /home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/work/cortexa= 7hf-neon-vfpv4-poky-linux-gnueabi/qtdeviceutilities/5.9.1+gitAUTOINC+48fb70= 4e64-r0/temp/log.do_fetch.8128 > ERROR: Task > (/home/gwilson/Qt-5.9/Yocto-build-RPi3/sources/meta-boot2qt/recipes-qt/qt= 5/qtdeviceutilities.bb:do_fetch) > failed with exit code '1' > > So it looks like: > > qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch > > is what's running. > > > > -------------------------------------------------------------------------= ------- > *From:* Andre McCurdy > *Sent:* Wednesday, September 6, 2017 6:34:07 PM > *To:* Greg Wilson-Lindberg > *Cc:* yocto@yoctoproject.org > *Subject:* Re: [yocto] Working behind a Palo Alto firewall/proxy > > On Wed, Sep 6, 2017 at 2:42 PM, Greg Wilson-Lindberg > wrote: >> Hi List, >> >> Does anybody have any experience trying to run Yocto behind a Palo Alto >> firewall. The Palo Alto firewall basically works as a Man in the Middle >> system, it hands out its own certificate to boxes behind it and then >> decrypts and re-encrypts traffic going through it. The Palo Alto box is >> supposed to act as a transparent Proxy. >> >> I'm getting an error that the 'server certificate verification failed' a= bout >> an hour into a yocto build. The certificate that the Palo Alto box is >> sending to my system is self-signed so will fail if checked for a valid = root >> CA, and also is not from whatever site is being downloaded from. > > Which site is being downloaded from and at which point in the build > (ie which recipe and task) ? > > --_000_d50c51bcc06f4aecbc9ac6851d9ee3bbsakurauscom_ Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable

Hi Mark,


Unfortunately, in this case the certificate has already been added to th= e system, necessary to get https working.


Greg

From: Mark Hatle <mark= .hatle@windriver.com>
Sent: Thursday, September 7, 2017 9:31:02 AM
To: Greg Wilson-Lindberg; Andre McCurdy
Cc: yocto@yoctoproject.org
Subject: Re: [yocto] Working behind a Palo Alto firewall/proxy
 
I've had a customer with a similar problem.  = The way they resolved it was to
download the certification from their proxy and add it to their system as a=
known certificate.

Sorry I don't have any more details then that, but maybe that can spark som= eone
who knows the actual steps to be able to comment.

--Mark

On 9/7/17 11:28 AM, Greg Wilson-Lindberg wrote:
> Hi Andre,
>
>
> Here is the complete error output:
>
> ERROR: qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fet= ch: Fetcher
> failure: Fetch command export
> DBUS_SESSION_BUS_ADDRESS=3D"unix:abstract=3D/tmp/dbus-9ReQWXYEk1&= quot;; export
> SSH_AUTH_SOCK=3D"/run/user/1000/keyring-4PGABB/ssh"; export<= br> > PATH=3D"/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/= tmp/sysroots/x86_64-linux/usr/bin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/bui= ld-raspberrypi3/tmp/sysroots-uninative/x86_64-linux/usr/bin:/home/gwilson/Q= t-5.9/Yocto-build-RPi3/sources/poky/scripts:/home/gwilson/Qt-5.9/Yocto-buil= d-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/usr/bin/arm-poky-linux-= gnueabi:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroo= ts/raspberrypi3/usr/bin/crossscripts:/home/gwilson/Qt-5.9/Yocto-build-RPi3/= build-raspberrypi3/tmp/sysroots/x86_64-linux/usr/sbin:/home/gwilson/Qt-5.9/= Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/usr/bin:/home= /gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-lin= ux/sbin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroo= ts/x86_64-linux/bin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/sources/poky/scri= pts:/home/gwilson/Qt-5.9/Yocto-build-RPi3/sources/poky/bitbake/bin:/home/gw= ilson/TEE:/home/gwilson/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/b= in:/sbin:/bin:/usr/games:/usr/local/games:/opt/microchip/xc32/v1.34/bin:/ho= me/gwilson/RPi3/tools/arm-bcm2708/gcc-linaro-arm-linux-gnueabihf-raspbian-x= 64/bin";
> export HOME=3D"/home/gwilson"; LANG=3DC git -c core.fsyncobj= ectfiles=3D0 clone --bare
> --mirror http://codereview.qt-project.org/qt/qtdeviceutilities
> /home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/../downloads/= git2/codereview.qt-project.org.qt.qtdeviceutilities
> --progress failed with exit code 128, output:
> Cloning into bare repository
> '/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/../downloads= /git2/codereview.qt-project.org.qt.qtdeviceutilities'...
> fatal: unable to access
> 'h= ttps://codereview.qt-project.org/qt/qtdeviceutilities/': server certifi= cate
> verification failed. CAfile:
> /usr/share/ca-certificates/cert_Decryption-Certificate.pem CRLfile: no= ne
>
> ERROR: qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fet= ch: Fetcher
> failure for URL:
> 'git://codereview.qt-project.org/qt/qtdeviceutilities;nobranch=3D1;pro= tocol=3Dhttp'.
> Unable to fetch URL from any source.
> ERROR: qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fet= ch: Function
> failed: base_do_fetch
> ERROR: Logfile of failure stored in:
> /home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/work/cort= exa7hf-neon-vfpv4-poky-linux-gnueabi/qtdeviceutilities/5.9.1+gitAUTOINC= +48fb704e64-r0/temp/log.do_fetch.8128
> ERROR: Task
> (/home/gwilson/Qt-5.9/Yocto-build-RPi3/sources/meta-boot2qt/recipes-qt= /qt5/qtdeviceutilities.bb:do_fetch)
> failed with exit code '1'
>
> So it looks like:
>
> qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch
>
> is what's running.
>
>
>
> ----------------------------------------------------------------------= ----------
> *From:* Andre McCurdy <armccurdy@gmail.com>
> *Sent:* Wednesday, September 6, 2017 6:34:07 PM
> *To:* Greg Wilson-Lindberg
> *Cc:* yocto@yoctoproject.org
> *Subject:* Re: [yocto] Working behind a Palo Alto firewall/proxy
>  
> On Wed, Sep 6, 2017 at 2:42 PM, Greg Wilson-Lindberg
> <GWilson@sakuraus.com> wrote:
>> Hi List,
>>
>> Does anybody have any experience trying to run Yocto behind a Palo= Alto
>> firewall. The Palo Alto firewall basically works as a Man in the M= iddle
>> system, it hands out its own certificate to boxes behind it and th= en
>> decrypts and re-encrypts traffic going through it. The Palo Alto b= ox is
>> supposed to act as a transparent Proxy.
>>
>> I'm getting an error that the 'server certificate verification fai= led' about
>> an hour into a yocto build. The certificate that the Palo Alto box= is
>> sending to my system is self-signed so will fail if checked for a = valid root
>> CA, and also is not from whatever site is being downloaded from. >
> Which site is being downloaded from and at which point in the build > (ie which recipe and task) ?
>
>

--_000_d50c51bcc06f4aecbc9ac6851d9ee3bbsakurauscom_--