Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

curl: option --proto: is unknown on CentOS 6 #1794

Closed
victorjulien opened this issue Apr 23, 2019 · 11 comments

Comments

Projects
None yet
4 participants
@victorjulien
Copy link

commented Apr 23, 2019

Problem
curl error when using: curl https://sh.rustup.rs -sSf | sh -s -- -y

docker run -it centos:6 /bin/bash
[root@081cc8b7180c /]# curl
curl: try 'curl --help' or 'curl --manual' for more information
[root@081cc8b7180c /]# curl https://sh.rustup.rs -sSf | sh -s -- -y
info: downloading installer
curl: option --proto: is unknown
curl: try 'curl --help' or 'curl --manual' for more information
rustup: command failed: downloader https://static.rust-lang.org/rustup/dist/x86_64-unknown-linux-gnu/rustup-init /tmp/tmp.fBaoqs014w/rustup-init

Expected (this worked until 4 days ago):

curl https://sh.rustup.rs -sSf | sh -s -- -y
info: downloading installer
info: syncing channel updates for 'stable-x86_64-unknown-linux-gnu'
info: latest update on 2019-04-11, rust version 1.34.0 (91856ed52 2019-04-10)
info: downloading component 'rustc'
info: downloading component 'rust-std'
info: downloading component 'cargo'
info: downloading component 'rust-docs'
info: installing component 'rustc'
info: installing component 'rust-std'
info: installing component 'cargo'
info: installing component 'rust-docs'
info: default toolchain set to 'stable'

  stable installed - rustc 1.34.0 (91856ed52 2019-04-10)


Rust is installed now. Great!

To get started you need Cargo's bin directory ($HOME/.cargo/bin) in your PATH 
environment variable. Next time you log in this will be done automatically.

To configure your current shell run source $HOME/.cargo/env

Steps

  1. docker run -it centos:6 /bin/bash
  2. curl https://sh.rustup.rs -sSf | sh -s -- -y

Possible Solution(s)
N/A

Notes

Output of rustup --version: N/A
Output of rustup show: N/A

@victorjulien victorjulien added the bug label Apr 23, 2019

@kinnison

This comment has been minimized.

Copy link
Collaborator

commented Apr 23, 2019

This is a side-effect of our change to rustup-init.sh to force newer TLS versions always.

The --proto option is nine years old and was part of 7.21.0 released June 16th 2010.

I suggest that you come up with a way to update the version of curl available in your docker because to undo the change we made would be to weaken a commitment to stronger security around the installation of rustup.

If you really can't update curl, then perhaps we can come up with a way to force the use of wget on centos (assuming centos's wget supports --https-only and --secure-protocol=TLSv1_2)

@lzutao

This comment has been minimized.

Copy link
Contributor

commented Apr 23, 2019

Simpler solution is to download and run this file if you're on x86-64-linux machine:
https://static.rust-lang.org/rustup/dist/x86_64-unknown-linux-gnu/rustup-init

@victorjulien

This comment has been minimized.

Copy link
Author

commented Apr 23, 2019

Ok that is unfortunate. Does this mean CentOS 6 is not a supported target for rustup? At https://github.com/OISF/suricata we just made our Rust support mandatory and one of the reasons was that for CentOS 6 it could be installed (& then kept up to date) using very simple instructions.

@lzutao

This comment has been minimized.

Copy link
Contributor

commented Apr 23, 2019

No, Rustup should run well on CentOS 5+. The problem is in the rustup-init.sh script.
Can you point out which part in your project use rustup.rs so we can help?

@victorjulien

This comment has been minimized.

Copy link
Author

commented Apr 23, 2019

I don't use it other than as part of my QA/CI infra, but we want to give users a simple instruction of how to upgrade our program from 4 (optional rust) to 5 (mandatory rust). Since quite a few of our users are still on CentOS 6, having a simple instruction like rustup normally provides would work best.

We could tell them to pull down the rustup-init for their arch manually (I confirmed it works), or have them install a more recent curl. But I was under the impression rustup was actually trying to solve these issues for us :)

@kinnison

This comment has been minimized.

Copy link
Collaborator

commented Apr 23, 2019

We are trying to make it easy and safe to get Rust. In order to reduce the chance of TLS downgrade attacks, we introduced this flag to our use of curl (and similarly for wget) and we ensured our configuration of TLS inside rustup was similarly secured. I certainly don't want to make it impossible for your users, so we need to come up with a halfway house.

@lzutao suggested on our discord channel that we have some kind of flag to allow you to say to rustup-init.sh that you accept the risks of not requiring TLS 1.2. Would you prefer that to be a commandline argument, or an environment variable?

As a work-around, if you're able to install a curl proxy into the user's path, you could swallow the unrecognised arguments before passing it on to curl-proper.

@victorjulien

This comment has been minimized.

Copy link
Author

commented Apr 23, 2019

I could see 2 paths (w/o reverting the new behaviour):

  1. some kind of version and/or functionality check on curl/wget. What to do in case of too old versions is the next problem then of course. You could warn and continue, or you could fail and explain.
  2. add some kind of 'legacy' commandline option that allows for these kinds of older versions. I guess this could even be combined with (1) to only leave out the strict options if the tools really don't support them.

I'm wondering though, how much protection does this option really give? I mean it seems everything that is done is under the Rust projects control, so I guess I'm not really seeing the attack vector. But maybe I've missed an analysis on the issue somewhere.

@kinnison

This comment has been minimized.

Copy link
Collaborator

commented Apr 23, 2019

I think that a check/downgrade-if-option-set is the only approach which is going to maintain the benefit while not causing users of older operating systems too much pain. Regarding the protections - downgrade attacks (which I'd tend to assume would be in the infra between the users's computer and rust-lang's servers) open the way to potentially introducing bad code into the compiler which is installed. Right now this is (to my mind) fairly unlikely, but it is a vector we'd prefer to protect ourselves against, no matter how unlikely we imagine it might be.

@Eric-Arellano

This comment has been minimized.

Copy link

commented Apr 23, 2019

This is hitting us with our CI in https://github.com/pantsbuild/pants too, as we use Centos6 to build our native wheels for max compatibility.

I think that a check/downgrade-if-option-set is the only approach which is going to maintain the benefit while not causing users of older operating systems too much pain.

I think this is a good solution. Perhaps log a warning that you have to make this downgrade.

Thanks for your help here!

cosmicexplorer added a commit to pantsbuild/pants that referenced this issue Apr 24, 2019

download rustup-init without --proto to work around outdated centos6 …
…curl version (#7615)

### Problem

Our CI is broken right now, failing to build `pants.pex` in our Linux shards running CentOS6, e.g. https://travis-ci.org/pantsbuild/pants/jobs/523606246. This appears to be an instance of an upstream rustup development, noted by @Eric-Arellano in rust-lang/rustup.rs#1794 (comment). While there may be a solution which maintains the security that the rustup folks desire, this diff should work around the issue for now.

### Solution

- Download the backup script as per rust-lang/rustup.rs#1794 (comment) if the original request fails.

### Result

CI should pass!
@lzutao

This comment has been minimized.

Copy link
Contributor

commented Apr 24, 2019

Looks like Rust in macOS 10.12 is broken with image xcode9.2 (on Travis). 😭
But we have temporary workaround.

kinnison added a commit to kinnison/rustup.rs that referenced this issue Apr 24, 2019

rustup-init.sh: Fall back to less secure download
If we're using OS X less than 10.13 or any platform where
curl or wget fail to advertise the required command line arguments
then fall back to not passing the flags to force TLSv1.2

This should fix rust-lang#1794

Signed-off-by: Daniel Silverstone <dsilvers@digital-scurf.org>
@victorjulien

This comment has been minimized.

Copy link
Author

commented Apr 24, 2019

Is this travis-ci error related as well?

info: downloading installer
curl: (35) SSL peer handshake failed, the server most likely requires a client certificate to connect
rustup: command failed: downloader https://static.rust-lang.org/rustup/dist/x86_64-apple-darwin/rustup-init /var/folders/bb/n7t3rs157850byt_jfdcq9k80000gn/T/tmp.yZX1SGRn/rustup-init
/Users/travis/.travis/functions: line 108: rustc: command not found

https://travis-ci.org/OISF/suricata/jobs/523642627

I believe its using xcode 8.3

kinnison added a commit to kinnison/rustup.rs that referenced this issue Apr 24, 2019

rustup-init.sh: Fall back to less secure download
If we're using OS X less than 10.13 or any platform where
curl or wget fail to advertise the required command line arguments
then fall back to not passing the flags to force TLSv1.2

This should fix rust-lang#1794

Signed-off-by: Daniel Silverstone <dsilvers@digital-scurf.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.