HTTP/2 Framing Layer issue

ax-mlee commented 3 months ago

Is this an issue with SCAP Workbench? No
- If so, report it here: https://github.com/OpenSCAP/scap-workbench/issues
Is this an issue with SCAP Security Guide (i.e., related to the content of scans, not the scanner proper)? No
- If so, report it here: https://github.com/OpenSCAP/scap-security-guide/issues
Is this an issue during the OS installation process? No
- If so, report it here: https://github.com/OpenSCAP/oscap-anaconda-addon/issues

Thanks!

Description of Problem:

Hi,

When running something like oscap info --verbose DEVEL --fetch-remote-resources --profiles ssg/scap-security-guide-0.1.69/ssg-rhel7-ds.xml we are getting an error that says:

OpenSCAP Error: Download failed: Stream error in the HTTP/2 framing layer [/builddir/build/BUILD/openscap-1.3.10/src/common/oscap_acquire.c:405]
Could not extract scap_org.open-scap_cref_ssg-rhel7-xccdf.xml with all dependencies from datastream. [/builddir/build/BUILD/openscap-1.3.10/src/DS/ds_sds_session.c:228]

OpenSCAP Version:

1.3.10

Operating System & Version:

Fedora 40 container

Steps to Reproduce:

Run oscap info --verbose DEVEL --fetch-remote-resources --profiles ssg/scap-security-guide-0.1.69/ssg-rhel7-ds.xml
???
Profit?

Actual Results:

Error with HTTP/2 streaming it appears

Expected Results:

Profile downloaded successfully without errors.

Additional Information / Debugging Steps:

I: oscap: Using environment variables: [oscap(428):oscap(7f3b03c6e500):debug.c:316:oscap_print_env_vars]
I: oscap: OSCAP_CHECK_ENGINE_PLUGIN_DIR='' [oscap(428):oscap(7f3b03c6e500):debug.c:319:oscap_print_env_vars]
I: oscap: OSCAP_CONTAINER_VARS='' [oscap(428):oscap(7f3b03c6e500):debug.c:319:oscap_print_env_vars]
I: oscap: OSCAP_EVALUATION_TARGET='' [oscap(428):oscap(7f3b03c6e500):debug.c:319:oscap_print_env_vars]
I: oscap: OSCAP_FULL_VALIDATION='' [oscap(428):oscap(7f3b03c6e500):debug.c:319:oscap_print_env_vars]
I: oscap: OSCAP_OVAL_COMMAND_OPTIONS='' [oscap(428):oscap(7f3b03c6e500):debug.c:319:oscap_print_env_vars]
I: oscap: OSCAP_PCRE_EXEC_RECURSION_LIMIT='' [oscap(428):oscap(7f3b03c6e500):debug.c:319:oscap_print_env_vars]
I: oscap: OSCAP_PROBE_ROOT='' [oscap(428):oscap(7f3b03c6e500):debug.c:319:oscap_print_env_vars]
I: oscap: SEXP_VALIDATE_DISABLE='' [oscap(428):oscap(7f3b03c6e500):debug.c:319:oscap_print_env_vars]
I: oscap: SOURCE_DATE_EPOCH='' [oscap(428):oscap(7f3b03c6e500):debug.c:319:oscap_print_env_vars]
I: oscap: OSCAP_PROBE_MEMORY_USAGE_RATIO='' [oscap(428):oscap(7f3b03c6e500):debug.c:319:oscap_print_env_vars]
I: oscap: OSCAP_PROBE_MAX_COLLECTED_ITEMS='' [oscap(428):oscap(7f3b03c6e500):debug.c:319:oscap_print_env_vars]
I: oscap: OSCAP_PROBE_IGNORE_PATHS='' [oscap(428):oscap(7f3b03c6e500):debug.c:319:oscap_print_env_vars]
I: oscap: Identified document type: data-stream-collection [oscap(428):oscap(7f3b03c6e500):doc_type.c:96:oscap_determine_document_type_reader]
Downloading: https://access.redhat.com/security/data/oval/v2/RHEL7/rhel-7.oval.xml.bz2 ... D: oscap: == cURL info: Host access.redhat.com:443 was resolved.
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: IPv6: 2600:1409:9800:1d::17d8:9117, 2600:1409:9800:1d::17d8:9116
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: IPv4: 23.46.17.36, 23.46.17.15
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info:   Trying 23.46.17.36:443...
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: Connected to access.redhat.com (23.46.17.36) port 443
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: ALPN: curl offers h2,http/1.1
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: TLSv1.3 (OUT), TLS handshake, Client hello (1):
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info:  CAfile: /etc/pki/tls/certs/ca-bundle.crt
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info:  CApath: none
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: TLSv1.3 (IN), TLS handshake, Server hello (2):
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: TLSv1.3 (IN), TLS handshake, Certificate (11):
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: TLSv1.3 (IN), TLS handshake, CERT verify (15):
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: TLSv1.3 (IN), TLS handshake, Finished (20):
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: TLSv1.3 (OUT), TLS handshake, Finished (20):
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / id-ecPublicKey
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: ALPN: server accepted h2
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: Server certificate:
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info:  subject: C=US; ST=North Carolina; L=Raleigh; O=Red Hat, Inc.; CN=access.redhat.com
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info:  start date: Feb 22 00:00:00 2024 GMT
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info:  expire date: Feb 21 23:59:59 2025 GMT
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info:  subjectAltName: host "access.redhat.com" matched cert's "access.redhat.com"
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info:  issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS RSA SHA256 2020 CA1
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info:  SSL certificate verify ok.
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info:   Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using sha256WithRSAEncryption
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info:   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info:   Certificate level 2: Public key type RSA (2048/112 Bits/secBits), signed using sha1WithRSAEncryption
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: using HTTP/2
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: [HTTP/2] [1] OPENED stream for https://access.redhat.com/security/data/oval/v2/RHEL7/rhel-7.oval.xml.bz2
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: [HTTP/2] [1] [:method: GET]
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: [HTTP/2] [1] [:scheme: https]
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: [HTTP/2] [1] [:authority: access.redhat.com]
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: [HTTP/2] [1] [:path: /security/data/oval/v2/RHEL7/rhel-7.oval.xml.bz2]
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: [HTTP/2] [1] [accept: */*]
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: [HTTP/2] [1] [te: gzip]
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: [HTTP/2] [1] [accept-encoding: deflate, gzip, br]
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: => cURL header (out): GET /security/data/oval/v2/RHEL7/rhel-7.oval.xml.bz2 HTTP/2
Host: access.redhat.com
Accept: */*
Connection: TE
TE: gzip
Accept-Encoding: deflate, gzip, br

 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: old SSL session ID is stale, removing
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: HTTP/2 stream 1 was not closed cleanly: PROTOCOL_ERROR (err 1)
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
D: oscap: == cURL info: Connection #0 to host access.redhat.com left intact
 [oscap(428):oscap(7f3b03c6e500):oscap_acquire.c:315:_curl_trace]
error
OpenSCAP Error: Download failed: Stream error in the HTTP/2 framing layer [/builddir/build/BUILD/openscap-1.3.10/src/common/oscap_acquire.c:405]
Could not extract scap_org.open-scap_cref_ssg-rhel7-xccdf.xml with all dependencies from datastream. [/builddir/build/BUILD/openscap-1.3.10/src/DS/ds_sds_session.c:228]

evgenyz commented 3 months ago

D: oscap: == cURL info: HTTP/2 stream 1 was not closed cleanly: PROTOCOL_ERROR (err 1)

I see an underlying cURL error in the logs. Does the curl itself work in your environment?

ax-mlee commented 3 months ago

@evgenyz yes, curling manually does work and we verified that step. Apologies, should have included that.

evgenyz commented 3 months ago

Can I ask you to retest it again with updated container? cURL received some updates recently. And if that would fail again, can you please add to the report exact build version of cURL packages?

Also, why are you trying to evaluate F40 container against RHEL7 content?

ax-mlee commented 3 months ago

@evgenyz, we are running openscap within an F40 container against other containers/OSes. The RHEL7 just happened to be the one we copied and pasted here as we were testing.

For reference, and if you'd like more context, we were following the guide in this article: https://candrews.integralblue.com/2023/09/scap-security-and-compliance-scanning-of-docker-images-in-github-actions-and-gitlab-ci/#:~:text=The%20GitHub%20Actions%20Code

ax-mlee commented 3 months ago

I'll also run another test here soon and let you know.

evgenyz commented 2 months ago

For reference, and if you'd like more context, we were following the guide in this article: https://candrews.integralblue.com/2023/09/scap-security-and-compliance-scanning-of-docker-images-in-github-actions-and-gitlab-ci/#:~:text=The%20GitHub%20Actions%20Code

My word! Thanks for the link, very educational.

OpenSCAP / openscap