HTTP/2 Framing Layer issue #2137

ax-mlee · 2024-07-15T16:36:55Z

Is this an issue with SCAP Workbench? No
- If so, report it here: https://github.com/OpenSCAP/scap-workbench/issues
Is this an issue with SCAP Security Guide (i.e., related to the content of scans, not the scanner proper)? No
- If so, report it here: https://github.com/OpenSCAP/scap-security-guide/issues
Is this an issue during the OS installation process? No
- If so, report it here: https://github.com/OpenSCAP/oscap-anaconda-addon/issues

Thanks!

Description of Problem:

Hi,

When running something like oscap info --verbose DEVEL --fetch-remote-resources --profiles ssg/scap-security-guide-0.1.69/ssg-rhel7-ds.xml we are getting an error that says:

OpenSCAP Error: Download failed: Stream error in the HTTP/2 framing layer [/builddir/build/BUILD/openscap-1.3.10/src/common/oscap_acquire.c:405]
Could not extract scap_org.open-scap_cref_ssg-rhel7-xccdf.xml with all dependencies from datastream. [/builddir/build/BUILD/openscap-1.3.10/src/DS/ds_sds_session.c:228]

OpenSCAP Version:

1.3.10

Operating System & Version:

Fedora 40 container

Steps to Reproduce:

Run oscap info --verbose DEVEL --fetch-remote-resources --profiles ssg/scap-security-guide-0.1.69/ssg-rhel7-ds.xml
???
Profit?

Actual Results:

Error with HTTP/2 streaming it appears

Expected Results:

Profile downloaded successfully without errors.

Additional Information / Debugging Steps:

I: oscap: Using environment variables: [oscap(428):oscap(7f3b03c6e500):debug.c:316:oscap_print_env_vars]
I: oscap: OSCAP_CHECK_ENGINE_PLUGIN_DIR='' [oscap(428):oscap(7f3b03c6e500):debug.c:319:oscap_print_env_vars]
I: oscap: OSCAP_CONTAINER_VARS='' [oscap(428):oscap(7f3b03c6e500):debug.c:319:oscap_print_env_vars]
I: oscap: OSCAP_EVALUATION_TARGET='' [oscap(428):oscap(7f3b03c6e500):debug.c:319:oscap_print_env_vars]
I: oscap: OSCAP_FULL_VALIDATION='' [oscap(428):oscap(7f3b03c6e500):debug.c:319:oscap_print_env_vars]
I: oscap: OSCAP_OVAL_COMMAND_OPTIONS='' [oscap(428):oscap(7f3b03c6e500):debug.c:319:oscap_print_env_vars]
I: oscap: OSCAP_PCRE_EXEC_RECURSION_LIMIT='' [oscap(428):oscap(7f3b03c6e500):debug.c:319:oscap_print_env_vars]
I: oscap: OSCAP_PROBE_ROOT='' [oscap(428):oscap(7f3b03c6e500):debug.c:319:oscap_print_env_vars]
I: oscap: SEXP_VALIDATE_DISABLE='' [oscap(428):oscap(7f3b03c6e500):debug.c:319:oscap_print_env_vars]
I: oscap: SOURCE_DATE_EPOCH='' [oscap(428):oscap(7f3b03c6e500):debug.c:319:oscap_print_env_vars]
I: oscap: OSCAP_PROBE_MEMORY_USAGE_RATIO='' [oscap(428):oscap(7f3b03c6e500):debug.c:319:oscap_print_env_vars]
I: oscap: OSCAP_PROBE_MAX_COLLECTED_ITEMS='' [oscap(428):oscap(7f3b03c6e500):debug.c:319:oscap_print_env_vars]
I: oscap: OSCAP_PROBE_IGNORE_PATHS='' [oscap(428):oscap(7f3b03c6e500):debug.c:319:oscap_print_env_vars]
I: oscap: Identified document type: data-stream-collection [oscap(428):oscap(7f3b03c6e500):doc_type.c:96:oscap_determine_document_type_reader]
Downloading: https://access.redhat.com/security/data/oval/v2/RHEL7/rhel-7.oval.xml.bz2 ... D: oscap: == cURL info: Host access.redhat.com:443 was resolved.
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: IPv6: 2600:1409:9800:1d::17d8:9117, 2600:1409:9800:1d::17d8:9116
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: IPv4: 23.46.17.36, 23.46.17.15
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info:   Trying 23.46.17.36:443...
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: Connected to access.redhat.com (23.46.17.36) port 443
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: ALPN: curl offers h2,http/1.1
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: TLSv1.3 (OUT), TLS handshake, Client hello (1):
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info:  CAfile: /etc/pki/tls/certs/ca-bundle.crt
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info:  CApath: none
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: TLSv1.3 (IN), TLS handshake, Server hello (2):
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: TLSv1.3 (IN), TLS handshake, Certificate (11):
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: TLSv1.3 (IN), TLS handshake, CERT verify (15):
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: TLSv1.3 (IN), TLS handshake, Finished (20):
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: TLSv1.3 (OUT), TLS handshake, Finished (20):
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / id-ecPublicKey
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: ALPN: server accepted h2
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: Server certificate:
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info:  subject: C=US; ST=North Carolina; L=Raleigh; O=Red Hat, Inc.; CN=access.redhat.com
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info:  start date: Feb 22 00:00:00 2024 GMT
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info:  expire date: Feb 21 23:59:59 2025 GMT
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info:  subjectAltName: host "access.redhat.com" matched cert's "access.redhat.com"
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info:  issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS RSA SHA256 2020 CA1
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info:  SSL certificate verify ok.
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info:   Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using sha256WithRSAEncryption
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info:   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info:   Certificate level 2: Public key type RSA (2048/112 Bits/secBits), signed using sha1WithRSAEncryption
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: using HTTP/2
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: [HTTP/2] [1] OPENED stream for https://access.redhat.com/security/data/oval/v2/RHEL7/rhel-7.oval.xml.bz2
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: [HTTP/2] [1] [:method: GET]
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: [HTTP/2] [1] [:scheme: https]
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: [HTTP/2] [1] [:authority: access.redhat.com]
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: [HTTP/2] [1] [:path: /security/data/oval/v2/RHEL7/rhel-7.oval.xml.bz2]
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: [HTTP/2] [1] [accept: */*]
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: [HTTP/2] [1] [te: gzip]
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: [HTTP/2] [1] [accept-encoding: deflate, gzip, br]
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: => cURL header (out): GET /security/data/oval/v2/RHEL7/rhel-7.oval.xml.bz2 HTTP/2
Host: access.redhat.com
Accept: */*
Connection: TE
TE: gzip
Accept-Encoding: deflate, gzip, br

 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: old SSL session ID is stale, removing
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: HTTP/2 stream 1 was not closed cleanly: PROTOCOL_ERROR (err 1)
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: Connection #0 to host access.redhat.com left intact
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
error
OpenSCAP Error: Download failed: Stream error in the HTTP/2 framing layer [/builddir/build/BUILD/openscap-1.3.10/src/common/oscap_acquire.c:405]
Could not extract scap_org.open-scap_cref_ssg-rhel7-xccdf.xml with all dependencies from datastream. [/builddir/build/BUILD/openscap-1.3.10/src/DS/ds_sds_session.c:228]

The text was updated successfully, but these errors were encountered:

evgenyz · 2024-07-17T09:59:36Z

D: oscap: == cURL info: HTTP/2 stream 1 was not closed cleanly: PROTOCOL_ERROR (err 1)

I see an underlying cURL error in the logs. Does the curl itself work in your environment?

ax-mlee · 2024-07-17T13:10:00Z

@evgenyz yes, curling manually does work and we verified that step. Apologies, should have included that.

evgenyz · 2024-07-31T09:35:42Z

Can I ask you to retest it again with updated container? cURL received some updates recently. And if that would fail again, can you please add to the report exact build version of cURL packages?

Also, why are you trying to evaluate F40 container against RHEL7 content?

ax-mlee · 2024-07-31T15:36:10Z

@evgenyz, we are running openscap within an F40 container against other containers/OSes. The RHEL7 just happened to be the one we copied and pasted here as we were testing.

For reference, and if you'd like more context, we were following the guide in this article: https://candrews.integralblue.com/2023/09/scap-security-and-compliance-scanning-of-docker-images-in-github-actions-and-gitlab-ci/#:~:text=The%20GitHub%20Actions%20Code

ax-mlee · 2024-07-31T18:32:28Z

I'll also run another test here soon and let you know.

evgenyz · 2024-08-01T07:43:44Z

For reference, and if you'd like more context, we were following the guide in this article: https://candrews.integralblue.com/2023/09/scap-security-and-compliance-scanning-of-docker-images-in-github-actions-and-gitlab-ci/#:~:text=The%20GitHub%20Actions%20Code

My word! Thanks for the link, very educational.

evgenyz added the unclear label Jul 17, 2024

evgenyz self-assigned this Jul 31, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

HTTP/2 Framing Layer issue #2137

HTTP/2 Framing Layer issue #2137

ax-mlee commented Jul 15, 2024 •

edited

Loading

evgenyz commented Jul 17, 2024 •

edited

Loading

ax-mlee commented Jul 17, 2024

evgenyz commented Jul 31, 2024

ax-mlee commented Jul 31, 2024

ax-mlee commented Jul 31, 2024

evgenyz commented Aug 1, 2024

HTTP/2 Framing Layer issue #2137

HTTP/2 Framing Layer issue #2137

Comments

ax-mlee commented Jul 15, 2024 • edited Loading

Description of Problem:

OpenSCAP Version:

Operating System & Version:

Steps to Reproduce:

Actual Results:

Expected Results:

Additional Information / Debugging Steps:

evgenyz commented Jul 17, 2024 • edited Loading

ax-mlee commented Jul 17, 2024

evgenyz commented Jul 31, 2024

ax-mlee commented Jul 31, 2024

ax-mlee commented Jul 31, 2024

evgenyz commented Aug 1, 2024

ax-mlee commented Jul 15, 2024 •

edited

Loading

evgenyz commented Jul 17, 2024 •

edited

Loading