gcloud compute command fails after running gcloud update

[GoogleCodeExporter]

What steps will reproduce the problem?
Trying to connect to one of my servers - gcloud compute --project 
"skywatch-app" ssh --zone "us-central1-f" "adcp-master"

What is the expected output? What do you see instead?
Expecting to get a command line session of the server running in my Terminal 
window.  Instead I get this:

ERROR: gcloud crashed (SSLHandshakeError): [Errno 1] _ssl.c:504: 
error:1006706B:elliptic curve routines:ec_GFp_simple_oct2point:point is not on 
curve

Please provide any additional information below.

Traceback (most recent call last):
  File "googlecloudsdk/calliope/cli.py", line 609, in Execute
    result = args.cmd_func(cli=self, args=args)
  File "googlecloudsdk/calliope/backend.py", line 1218, in Run
    last_group = context_filter(tool_context, Http, args)
  File "googlecloudsdk/calliope/backend.py", line 580, in ContextFilter
    group.Filter(context, args)
  File "googlecloudsdk/surface/compute/__init__.py", line 53, in Filter
    _DoFilter(context, self.Http(), 'v1', args)
  File "googlecloudsdk/calliope/base.py", line 283, in Http
    return self._http_func(auth=auth, creds=creds, **kwargs)
  File "googlecloudsdk/calliope/backend.py", line 1213, in Http
    **kwargs)
  File "googlecloudsdk/core/cli.py", line 127, in Http
    creds = c_store.Load()
  File "googlecloudsdk/core/credentials/store.py", line 249, in Load
    Refresh(cred)
  File "googlecloudsdk/core/credentials/store.py", line 267, in Refresh
    creds.refresh(http or _Http())
  File "oauth2client/client.py", line 597, in refresh
    self._refresh(http.request)
  File "oauth2client/client.py", line 780, in _refresh
    self._do_refresh_request(http_request)
  File "oauth2client/client.py", line 799, in _do_refresh_request
    self.token_uri, method='POST', body=body, headers=headers)
  File "httplib2/__init__.py", line 1608, in request
    (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
[output truncated]

================================================================================
============ TRUNCATED INFORMATION (PLEASE CONSIDER INCLUDING) 
================================================================================
=============
File "httplib2/__init__.py", line 1350, in _request
    (response, content) = self._conn_request(conn, request_uri, method, body, headers)
  File "httplib2/__init__.py", line 1272, in _conn_request
    conn.connect()
  File "httplib2/__init__.py", line 1059, in connect
    raise SSLHandshakeError(e)
SSLHandshakeError: [Errno 1] _ssl.c:504: error:1006706B:elliptic curve 
routines:ec_GFp_simple_oct2point:point is not on curve

Installation information:

Google Cloud SDK [0.9.88]

Platform: [Mac OS X, x86_64]
Python Version: [2.7.3 (default, Nov  9 2014, 15:23:15)  [GCC 4.2.1 Compatible 
Apple LLVM 6.0 (clang-600.0.54)]]
Python Location: 
[/opt/local/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.ap
p/Contents/MacOS/Python]
Site Packages: [Disabled]

Installation Root: [/Users/rolands/google-cloud-sdk]
Installed Components:
  core: [2015.11.24]
  core-nix: [2015.11.24]
  gcloud: []
  gsutil-nix: [4.15]
  gsutil: [4.15]
  bq: [2.0.18]
  bq-nix: [2.0.18]
System PATH: 
[/Users/rolands/.gvm/vertx/current/bin:/Users/rolands/.gvm/springboot/current/bi
n:/Users/rolands/.gvm/lazybones/current/bin:/Users/rolands/.gvm/jbake/current/bi
n:/Users/rolands/.gvm/groovyserv/current/bin:/Users/rolands/.gvm/groovy/current/
bin:/Users/rolands/.gvm/griffon/current/bin:/Users/rolands/.gvm/grails/current/b
in:/Users/rolands/.gvm/gradle/current/bin:/Users/rolands/.gvm/glide/current/bin:
/Users/rolands/.gvm/gaiden/current/bin:/Users/rolands/.gvm/crash/current/bin:/Us
ers/rolands/.gvm/asciidoctorj/current/bin:/Users/rolands/google-cloud-sdk/bin:/U
sers/rolands/google-cloud-sdk/bin:/Users/rolands/.gvm/grails/1.3.7/bin:/usr/loca
l/apache-maven/apache-maven-3.2.5/bin:/usr/local/ant/apache-ant-1.9.3/bin:/opt/l
ocal/bin:/opt/local/sbin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/opt/X11/b
in:/usr/local/git/bin]
Cloud SDK on PATH: [True]

Installation Properties: [/Users/rolands/google-cloud-sdk/properties]
User Config Directory: [/Users/rolands/.config/gcloud]
User Properties: [/Users/rolands/.config/gcloud/properties]
Current Workspace: [None]
Workspace Config Directory: [None]
Workspace Properties: [None]

Account: [roland@skywatch.co]
Project: [skywatch-app]

Current Properties:
  [core]
    project: [skywatch-app]
    account: [roland@skywatch.co]
    disable_usage_reporting: [True]
  [app]
    use_appengine_api: [True]

Logs Directory: [/Users/rolands/.config/gcloud/logs]
Last Log File: 
[/Users/rolands/.config/gcloud/logs/2015.11.25/22.13.42.041114.log]
================================================================================
========== END TRUNCATED INFORMATION (PLEASE CONSIDER INCLUDING) 
================================================================================
===========

Original issue reported on code.google.com by rol...@skywatch.co on 26 Nov 2015 at 3:20

[GoogleCodeExporter]

I have discovered a work-around - I can call ssh directly and access the server 
with the following command:

ssh -i  ~/.ssh/google_compute_engine -o UserKnownHostsFile=/dev/null -o 
CheckHostIP=no -o StrictHostKeyChecking=no rolands@130.211.127.13

Something in the gcloud update did something to bugger up my SDK. 

Original comment by rol...@skywatch.co on 26 Nov 2015 at 5:47

[GoogleCodeExporter]

Thanks for reporting the issue.
Indeed you can use --dry-run flag to get equivalent ssh command:

gcloud compute --project "skywatch-app" ssh --zone "us-central1-f" 
"adcp-master" --dry-run

Is the issue still reproducable? Can you send me (or attach here to this bug) 
the content of your gcloud installation:
  ls -lLR /Users/rolands/google-cloud-sdk > broken-gcloud-listing.txt
This will help to diagnose if indeed your installation is in broken state.

You can try also reinstalling, either by doing:
  gcloud components reinstall
or deleting current installation directory and running
  curl https://sdk.cloud.google.com | bash

Original comment by che...@google.com on 26 Nov 2015 at 6:28

• Changed state: NeedsMoreInfo

[GoogleCodeExporter]

I tried re-installing the SDK using the curl command you specified above but 
the problem still exists. I also ran the gcloud command with the --dry-run 
option and I still have the same problem:

rolands-tor-m:.ssh rolands$ gcloud compute --project "skywatch-app" ssh --zone 
"us-central1-f" "adcp-master" --dry-run
ERROR: gcloud crashed (SSLHandshakeError): [Errno 1] _ssl.c:504: 
error:1006706B:elliptic curve routines:ec_GFp_simple_oct2point:point is not on 
curve

broken-gcloud-listing.txt, generated using the command specified above, is 
attached.

Thanks for your help.

Original comment by rol...@skywatch.co on 26 Nov 2015 at 6:37

Attachments:

• broken-gcloud-listing.txt

[GoogleCodeExporter]

I could not find immediately anything wrong with your installation.

Can you reinstall to previous version via

  export CLOUDSDK_COMPONENT_MANAGER_FIXED_SDK_VERSION=0.9.87
  curl https://sdk.cloud.google.com | bash

and try again. If that does not work, and you remember which version you used 
before the update, it would help if you can try that as well.

Original comment by che...@google.com on 26 Nov 2015 at 9:38

[GoogleCodeExporter]

Thank you for the update. 

I had the same error after installing 0.9.87, but after installing 0.9.86 
everything started working again.

I would appreciate you keeping this ticket open to keep me apprised  of a fix 
for this bug. Something in 0.9.87 update caused my gcloud compute commands to 
start failing and it should be fixed. In the meantime I won't be running gcloud 
update for awhile.

Your support is much appreciated!

Original comment by rol...@skywatch.co on 26 Nov 2015 at 9:52

[GoogleCodeExporter]

This looks like an issue with your Python or OpenSSL installation; the part of 
the code that's failing is *not* Cloud SDK code; it's Python/OpenSSL code 
(there may have been a Cloud SDK change that started to exercise this code 
path, however).

https://trac.macports.org/ticket/38015 seems to be a similar issue.

Can you check which OpenSSL version you have? Running `openssl version` ought 
to do it.

Original comment by z...@google.com on 27 Nov 2015 at 8:30

[GoogleCodeExporter]

Thank you for the update.

My OpenSSL version is:
OpenSSL 1.0.1c 10 May 2012

I'm running on a Mac, OSX Yosemite Version 10.10.5 (14F27)

Thanks,

Original comment by rol...@skywatch.co on 29 Nov 2015 at 3:34

[GoogleCodeExporter]

Hm. Can you run `openssl s_client -connect accounts.google.com:443`?

If it succeeds, it'll leave you with a lot of information about having 
successfully established a connection. If not, it'll print an error and exit.

Original comment by z...@google.com on 29 Nov 2015 at 4:20

[GoogleCodeExporter]

Here is the result of the command. I hope it helps. Thanks again for your help.

rolands-tor-m:~ rolands$ openssl s_client -connect accounts.google.com:443
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
140735272813392:error:1006706B:elliptic curve 
routines:ec_GFp_simple_oct2point:point is not on curve:ecp_oct.c:421:
140735272813392:error:1408D132:SSL routines:SSL3_GET_KEY_EXCHANGE:bad 
ecpoint:s3_clnt.c:1677:
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=accounts.google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEoTCCA4mgAwIBAgIIPNa6vZaPggUwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTUxMTEyMTgyNjE3WhcNMTYwMjEwMDAwMDAw
WjBtMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEcMBoGA1UEAwwTYWNj
b3VudHMuZ29vZ2xlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AJE4YpZ5xBuKfX0cmy7q8NonvyGKpDzhQAz5e9lY6hR/sTetYgEMSgyOM+UKDs42
MLkdBs2pXXaExx6hngYeBGaTOuqGfkUrMOa7OdTND2YJLfAgPPWn5gs/SBR41q9J
+uG3KjLdKA0HZv/4vR31yhr664OOqd0A0Z0d3EqdthbOJw25AtGYbmKswDnbVNAk
TyBvtKNZPhW6JKZYamYxIILMxQZ1uAN7fbikYA5VRaQORRHl0wsJuJjkjlyhvu6j
HnhDIqsl0nKgjGr3uL/PyI5u5tCGH3w4KUCzu+FsCRxwczWkpKqNqoj8VjojfJjG
sUvLTQTfCABqjg9UaE6LJ0MCAwEAAaOCAWcwggFjMB0GA1UdJQQWMBQGCCsGAQUF
BwMBBggrBgEFBQcDAjA1BgNVHREELjAsghNhY2NvdW50cy5nb29nbGUuY29tghUq
LnBhcnRuZXIuYW5kcm9pZC5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAC
hh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9o
dHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBQblxL9xjf1
bs+GsL+o7YLehvJJ4DAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZo
tXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHWeQIFATAIBgZngQwBAgIw
MAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcyLmNy
bDANBgkqhkiG9w0BAQsFAAOCAQEAZYW/zuG0TrPI1L1qLVRCzEhY2tTL5URq7PoZ
r3bfv5oKrZCy5yQf2pgwbJ0FXWV0Adv28VbIUSh7nNTMvBs/A7fplIoq5/7MkjKr
32nGBpDWP9EVBR8tXM9VfKqFqeTnQrDUm/ifHAmyv+kf+sQKBsp9V4ngfA3cNV7o
u3fRx9QZjB1LW3zZ3lUm9Q8DVq3WAkzq10AcSVC6Nkw7kN2HbWRPmpV3V0zBxIpt
ILE5gqhLuRn/XvV/LZMjypTwsGwPmjbxku4rQkwjaLymx4rEHzCENCOUk0wMGrKZ
YiNMaLMZAxePr2oedvwCANgkq16eteW7itVOskkQMVuZe9NRBA==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=accounts.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
---
SSL handshake has read 3521 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1448913460
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

Original comment by rol...@skywatch.co on 30 Nov 2015 at 7:59

[GoogleCodeExporter]

Ahh, yes. There's something wrong with your OpenSSL installation. See the lines:

    140735272813392:error:1006706B:elliptic curve routines:ec_GFp_simple_oct2point:point is not on curve:ecp_oct.c:421:
    140735272813392:error:1408D132:SSL routines:SSL3_GET_KEY_EXCHANGE:bad ecpoint:s3_clnt.c:1677:

There's nothing we can do on our end about this. If you fix your SSL version, 
everything should work.

Thanks for reporting!

Original comment by z...@google.com on 30 Nov 2015 at 8:02

• Changed state: WontFix