Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS error when using MeshExternalService with TLS 1.3 only #11985

Open
slavogiez opened this issue Nov 6, 2024 · 2 comments
Open

TLS error when using MeshExternalService with TLS 1.3 only #11985

slavogiez opened this issue Nov 6, 2024 · 2 comments
Labels
kind/bug A bug triage/needs-reproducing Someone else should try to reproduce this
Milestone
2.10.x

Comments

@slavogiez
Copy link
Contributor

What happened?

We would like to use MeshExternalService to access a server using HTTPS and supporting TLS 1.3 only.

The MES is declared this way :

apiVersion: kuma.io/v1alpha1
kind: MeshExternalService
metadata:
  name: tls13-only-site
  labels:
    kuma.io/mesh: xxx
spec:
  match:
    type: HostnameGenerator
    port: 80
    protocol: http
  endpoints:
    - address: tls13.1d.pw
      port: 443
  tls:
    enabled: true
    verification:
      serverName: tls13.1d.pw

When trying to access it with curl, we get this error :

upstream connect error or disconnect/reset before headers. reset reason: remote connection failure, transport failure reason: TLS_error:|268436526:SSL routines:OPENSSL_internal:TLSV1_ALERT_PROTOCOL_VERSION:TLS_error_end:TLS_error_end
@slavogiez slavogiez added kind/bug A bug triage/pending This issue will be looked at on the next triage meeting labels Nov 6, 2024
@lahabana lahabana added this to the 2.10.x milestone Nov 6, 2024
@lukidzi
Copy link
Contributor

lukidzi commented Nov 7, 2024
edited
Loading

Hi. If the TLS version is not provided the default is TLS12. Based on the docs https://kuma.io/docs/2.9.x/networking/meshexternalservice/#tls you can specify TLS version. You could try:

apiVersion: kuma.io/v1alpha1
kind: MeshExternalService
metadata:
  name: tls13-only-site
  labels:
    kuma.io/mesh: xxx
spec:
  match:
    type: HostnameGenerator
    port: 80
    protocol: http
  endpoints:
    - address: tls13.1d.pw
      port: 443
  tls:
    version:
      min: TLS13
      max: TLS13
    enabled: true
    verification:
      serverName: tls13.1d.pw

Please let us know if it helps

We should check if we can do better here (maybe change max to 1.3 for the client?)

@lukidzi lukidzi added triage/needs-information Reviewed and some extra information was asked to the reporter and removed triage/pending This issue will be looked at on the next triage meeting labels Nov 7, 2024
@slavogiez
Copy link
Contributor Author

slavogiez commented Nov 8, 2024
edited
Loading

Hi, I also tested with versions enforced to TLS13 like in your exemple, but this wasn't working too.

@lahabana lahabana added triage/needs-reproducing Someone else should try to reproduce this and removed triage/needs-information Reviewed and some extra information was asked to the reporter labels Nov 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug A bug triage/needs-reproducing Someone else should try to reproduce this
Projects
None yet
Milestone
2.10.x
Development

No branches or pull requests
3 participants
@lahabana @slavogiez @lukidzi