After re-testing with currently 'testing' packages I can still reproduce bug #755554 .
dpkg -l '*gnutls*' | grep ii ; dpkg -l '*curl*' | grep ii ii libgnutls-deb0-28:amd64 3.2.16-1 amd64 GNU TLS library - main runtime library ii libgnutls-openssl27:amd64 3.2.16-1 amd64 GNU TLS library - OpenSSL wrapper ii libgnutls26:amd64 2.12.23-17 amd64 GNU TLS library - runtime library ii libgnutls28-dev:amd64 3.2.16-1 amd64 GNU TLS library - development files ii libgnutlsxx28:amd64 3.2.16-1 amd64 GNU TLS library - C++ runtime library ii libcurl3:amd64 7.37.1-1 amd64 easy-to-use client-side URL transfer library (OpenSSL flavour) ii libcurl3-gnutls:amd64 7.37.1-1 amd64 easy-to-use client-side URL transfer library (GnuTLS flavour) ii libcurl4-gnutls-dev:amd64 7.37.1-1 amd64 development files and documentation for libcurl (GnuTLS flavour) ii python-pycurl 7.19.3.1-1 amd64 Python bindings to libcurl (Python 3) Bug reproducible as before. If insisting on gnutls26 it needs to be rebuilt with a lib/ext_signature.c matching present upstream logic configuration. As I am not familiar with gnutls I am unsure if this code causes it to //only validate SHA1 / SHA256 signatures // or if other signatures implicitly fail. Basic initial research ( http://en.wikipedia.org/wiki/Transport_Layer_Security ) appears to indicate that (MD5 (too insecure to continue using),) SHA1 and SHA256 are the only presently valid TLS hash / signature algorithms that are applicable. https://gitorious.org/gnutls/gnutls/source/555766063e08fc675b88e06560f79456c 4ba4f24:lib/ext_signature.c --- orig/lib/ext_signature.c.orig 2012-01-06 11:06:23.000000000 -0800 +++ fix/lib/ext_signature.c 2014-07-30 11:53:23.271425378 -0700 @@ -150,13 +150,12 @@ _gnutls_debug_log ("EXT[SIGA]: rcvd signature algo (%d.%d) %s\n", aid.hash_algorithm, aid.sign_algorithm, gnutls_sign_get_name(sig)); + hash = _gnutls_sign_get_hash_algorithm(sig); + if (hash != GNUTLS_DIG_SHA1 && hash != GNUTLS_DIG_SHA256) + continue; if (sig != GNUTLS_SIGN_UNKNOWN) { - hash = _gnutls_sign_get_hash_algorithm(sig); - if (hash != GNUTLS_DIG_SHA1 && hash != GNUTLS_DIG_SHA256) - continue; - priv->sign_algorithms[priv->sign_algorithms_size++] = sig; if (priv->sign_algorithms_size == MAX_SIGNATURE_ALGORITHMS) break; Then curl (libcurl) needs to be recompiled with that. Finally python-pycurl needs to be recompiled with that. This may indicate that #515200 should be re-tested and closed as no longer necessary. After applying the above gnutls26 patch, then recompiling gnutls, curl, and pycurl I must then install the following patched packages: dpkg -i \ libgnutls-dev_2.12.23-17_amd64.deb \ libgnutls26_2.12.23-17_amd64.deb \ libgnutlsxx27_2.12.23-17_amd64.deb \ libcurl3_7.37.1-1_amd64.deb \ libcurl3-gnutls_7.37.1-1_amd64.deb \ libcurl4-gnutls-dev_7.37.1-1_amd64.deb \ python-pycurl_7.19.3.1-1_amd64.deb However the problem still persists when pycurl is built against gnutls. Adding --debug to /etc/default/ganeti for all daemons, I've also collected the following error messages: NODE1 is the IP of the node that should be the master. NODE2 is the IP of the node that should be a normal node. /var/log/ganeti/node-daemon.log -- on NODE2 2014-07-31 14:29:40,908: ganeti-noded pid=14668 mlock:77 DEBUG Memory lock set 2014-07-31 14:29:40,908: ganeti-noded pid=14668 server:405 DEBUG Connection from NODE1:35896 2014-07-31 14:29:40,910: ganeti-noded pid=14668 server:434 DEBUG Disconnected NODE1:35896 2014-07-31 14:29:40,910: ganeti-noded pid=14668 server:588 ERROR Error while handling request from NODE1:35896 Traceback (most recent call last): File "/usr/share/ganeti/2.11/ganeti/http/server.py", line 585, in _IncomingConnection self.request_executor(self, self.handler, connection, client_addr) File "/usr/share/ganeti/2.11/ganeti/server/noded.py", line 149, in __init__ http.server.HttpServerRequestExecutor.__init__(self, *args, **kwargs) File "/usr/share/ganeti/2.11/ganeti/http/server.py", line 413, in __init__ http.Handshake(sock, self.WRITE_TIMEOUT) File "/usr/share/ganeti/2.11/ganeti/http/__init__.py", line 530, in Handshake raise HttpError("Error in SSL handshake: %s" % err) HttpError: Error in SSL handshake: ([('SSL routines', 'SSL3_GET_CLIENT_CERTIFICATE', 'peer did not return a certificate')],) /var/log/ganeti/watcher.log -- on NODE1 2014-07-31 14:30:02,472: ganeti-watcher pid=2794 WARNING Master daemon seems to be down (/var/run/ganeti/socket/ganeti-master), trying to restart 2014-07-31 14:30:02,473: ganeti-watcher pid=2794 INFO RunCmd /usr/lib/ganeti/daemon-util check-and-start ganeti-masterd 2014-07-31 14:31:02,857: ganeti-watcher pid=2794 ERROR Can't start daemon 'ganeti-masterd', failure exited with exit code 1, output: ERROR:root:RPC error in master_node_name on node node2.local: Error 35: gnutls_handshake() failed: Handshake failed WARNING:root:Error contacting node node2.local: Error 35: gnutls_handshake() failed: Handshake failed ERROR:root:RPC error in master_node_name on node node2.local: Error 35: gnutls_handshake() failed: Handshake failed WARNING:root:Error contacting node node2.local: Error 35: gnutls_handshake() failed: Handshake failed ERROR:root:RPC error in master_node_name on node node2.local: Error 35: gnutls_handshake() failed: Handshake failed WARNING:root:Error contacting node node2.local: Error 35: gnutls_handshake() failed: Handshake failed ERROR:root:RPC error in master_node_name on node node2.local: Error 35: gnutls_handshake() failed: Handshake failed WARNING:root:Error contacting node node2.local: Error 35: gnutls_handshake() failed: Handshake failed ERROR:root:RPC error in master_node_name on node node2.local: Error 35: gnutls_handshake() failed: Handshake failed WARNING:root:Error contacting node node2.local: Error 35: gnutls_handshake() failed: Handshake failed ERROR:root:RPC error in master_node_name on node node2.local: Error 35: gnutls_handshake() failed: Handshake failed WARNING:root:Error contacting node node2.local: Error 35: gnutls_handshake() failed: Handshake failed CRITICAL:root:Cluster inconsistent, most of the nodes didn't answer after multiple retries. Aborting startup CRITICAL:root:Use the --no-voting option if you understand what effects it has on the cluster state 2014-07-31 14:31:02,858: ganeti-watcher pid=2794 ERROR Can't start the master daemon Traceback (most recent call last): File "/usr/share/ganeti/2.11/ganeti/watcher/__init__.py", line 851, in Main return fn(options) File "/usr/share/ganeti/2.11/ganeti/rapi/client.py", line 254, in wrapper return fn(*args, **kwargs) File "/usr/share/ganeti/2.11/ganeti/watcher/__init__.py", line 650, in _GlobalWatcher client = GetLuxiClient(True) File "/usr/share/ganeti/2.11/ganeti/watcher/__init__.py", line 569, in GetLuxiClient raise errors.GenericError("Can't start the master daemon") GenericError: Can't start the master daemon
