Loading...

Type: Bug
Resolution: Done
Priority: Normal
Fix Version/s: Logging 5.6.0
Affects Version/s: Logging 5.6.0
Component/s: Log Collection
Labels:
- devel_ack+
- no-rn

Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Epic Link:
LOG-3270
Docs QE Status:
NEW
QE Status:
VERIFIED

Sprint:
Log Collection - Sprint 226

SFDC Cases Links:
SFDC Cases Open:
SFDC Cases Counter:

Version of components:

cluster-logging.v5.6.0

elasticsearch-operator.v5.6.0

Server Version: 4.11.0-0.nightly-2022-10-08-131055

Kubernetes Version: v1.24.0+dc5a2fd

Description of the problem:

Vector metrics with min TLS version set to 1.2 does not support TLS v1.3.

Steps to reproduce the issue:

*Create a cluster logging instance with Vector as collector.

*By default the OpenSSL conf used by vector should use intermediate tlsSecurityProfile and minTLSVersion 1.2.

$ oc exec collector-vqhv8 -- cat /etc/vector/openssl.cnf | grep -iE "MinProtocol|CipherSuites"
Defaulted container "collector" out of: collector, logfilesmetricexporter
MinProtocol = TLSv1.2
CipherSuites = TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES256-GCM-SHA384

*Check connection to collector metrics endpoints for Vector.

$ oc rsh cluster-logging-operator-8694f74b86-7mb4b

sh-4.4$ openssl s_client -tls1_3 -CAfile /run/secrets/kubernetes.io/serviceaccount/service-ca.crt -connect collector:24231
CONNECTED(00000003)
140376935679808:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1544:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 217 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---


sh-4.4$ openssl s_client -tls1_2 -CAfile /run/secrets/kubernetes.io/serviceaccount/service-ca.crt -connect collector:24231
CONNECTED(00000003)
Can't use SSL_get_servername
depth=1 CN = openshift-service-serving-signer@1665453851
verify return:1
depth=0 CN = collector.openshift-logging.svc
verify return:1
---
Certificate chain
 0 s:CN = collector.openshift-logging.svc
   i:CN = openshift-service-serving-signer@1665453851
 1 s:CN = openshift-service-serving-signer@1665453851
   i:CN = openshift-service-serving-signer@1665453851
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID7TCCAtWgAwIBAgIIEStijFNvfH8wDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE
Awwrb3BlbnNoaWZ0LXNlcnZpY2Utc2VydmluZy1zaWduZXJAMTY2NTQ1Mzg1MTAe
Fw0yMjEwMTEwODExMTVaFw0yNDEwMTAwODExMTZaMCoxKDAmBgNVBAMTH2NvbGxl
Y3Rvci5vcGVuc2hpZnQtbG9nZ2luZy5zdmMwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCu2I2uI0Dt5GTKPap1BO12yUiKqKOQymxOEaCOwU4gJ3E7nLfP
powziV0R1owAcoGVU3AkQ8ySbp40zXnIZMSatw2YjXctKLg05CYZCf0Q2oeqEtyN
ssI9LPOdkGzPY3oaFgzq3Iwa22H/flsrpIjsGFzQNfyeRa6SU6xjPS7T8JAU+7qv
6SXD9TdskBprYDbVplHTWbLOAXbYK6GvAEsiMe3CZsYXe+olUAJwyZcydDSZ6OlI
/cM/89T42n6xRiFNfvaGrjJIXoYMGE7dbrwovvpl57ORltV6Iphzc58lAWifvGV9
JV2CqdMQzX0p8LUAQzbV2XBvPzMz9Szs2oNRAgMBAAGjggEJMIIBBTAOBgNVHQ8B
Af8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNV
HQ4EFgQUB5+md7hUNNYBFqhRKgJy1IelC/4wHwYDVR0jBBgwFoAUC3Zynd3G9QeY
iwB0Na3QOwx4GE4wWQYDVR0RBFIwUIIfY29sbGVjdG9yLm9wZW5zaGlmdC1sb2dn
aW5nLnN2Y4ItY29sbGVjdG9yLm9wZW5zaGlmdC1sb2dnaW5nLnN2Yy5jbHVzdGVy
LmxvY2FsMDUGCysGAQQBkggRZAIBBCYTJGEyZDg0YTg3LTA1NjAtNGRlOS05Y2Ri
LWYyMmVlNzFjZWM3ZTANBgkqhkiG9w0BAQsFAAOCAQEAHggHpoZc+YpaPALJi1Yc
GQS4D5rS0KzsLh9EoDV9RmWWDlNQsCrEbpUnx3S5Ouk9JkQFZDITKOD/7r6i4nov
Nq54kDKoYhNGcjA8LVWQjpHHNm+AsvjqAlQ9fNuY0UONw3sKXLng8RAhxC6dvyUJ
i9Y1tSK6bJJAzpr2AXnaJF7cejt3x24cd21ds8iHV6AzOBfNxP45CnZkawvEwWle
OndtU8nNF2XzgsCgR3rgNWOebSs5X0GjCPzWWsu/DpntRZKNsIYlDAQ+pBzmakoS
1zGfcsCjmP0XwAW3AoiwYnYToCvqGMLRGycyB12TkgwLtUzoTA8U64yGJ3rdWFU4
pg==
-----END CERTIFICATE-----
subject=CN = collector.openshift-logging.svcissuer=CN = openshift-service-serving-signer@1665453851---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2482 bytes and written 277 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-CHACHA20-POLY1305
    Session-ID: 6F7107BF53D3272049C88078106B16ADBF83A98E5E95AAD2AE0ED43F6947D581
    Session-ID-ctx: 
    Master-Key: C4DE01ADCD481DC8676EFDA5EC877BF2CA14591246F98002A91C5C80D382825C5C1CF73810D5C9CCF60EC91A9AFACB3E
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - f7 e2 9a 2a f5 b0 6c 87-66 e6 ac 8a 12 06 b9 fd   ...*..l.f.......
    0010 - 8b 30 90 24 57 81 96 2e-11 06 b4 59 fa 9c 27 34   .0.$W......Y..'4
    0020 - 59 e9 7d 7c b9 aa 0a a1-a4 93 22 02 e8 a1 57 aa   Y.}|......"...W.
    0030 - 66 2f 21 7d 78 8f 9c d9-48 88 e7 8c 06 e5 cf fc   f/!}x...H.......
    0040 - 0c 76 80 16 41 fe a4 bf-07 31 e0 41 7f b0 98 f2   .v..A....1.A....
    0050 - 47 f1 65 eb cf 6d e6 0a-50 3e 68 98 33 9e 6a ea   G.e..m..P>h.3.j.
    0060 - 85 99 61 0c b9 d5 b5 9f-aa 94 03 72 3f 0e 18 1f   ..a........r?...
    0070 - 87 b7 91 3d 40 bd 7d 34-ae fe a2 4a 97 8c 76 bf   ...=@.}4...J..v.
    0080 - 01 f6 91 50 fc 5a 19 ff-d9 d2 84 c6 ea a5 1c f5   ...P.Z..........
    0090 - c6 c6 fe 46 57 3e 14 e9-00 d8 d5 2d 25 74 6f 94   ...FW>.....-%to.    Start Time: 1665485298
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---

In the output check that for Vector the connections supports TLSv 1.2 but TLS v1.3 is not supported.

Additional Notes:

openssl connection command with -msg parameter.

sh-4.4$ openssl s_client -tls1_3 -msg -CAfile /run/secrets/kubernetes.io/serviceaccount/service-ca.crt -connect collector:24231     
CONNECTED(00000003)
>>> ??? [length 0005]
    16 03 01 00 d4
>>> TLS 1.3, Handshake [length 00d4], ClientHello
    01 00 00 d0 03 03 e5 80 cb a0 35 76 dd a6 2a 18
    6e 4f d8 46 54 1b f0 90 ec 3e 7a 0f 49 51 1b 81
    83 3f c0 4e 69 8d 20 2e 08 46 a5 a2 a8 53 09 1e
    eb f1 20 a6 c9 f2 aa a6 e7 d1 af 52 4a 8c 61 d8
    db 24 9b 6f 6a 9d 73 00 0a 13 02 13 03 13 01 13
    04 00 ff 01 00 00 7d 00 0b 00 04 03 00 01 02 00
    0a 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00
    23 00 00 00 16 00 00 00 17 00 00 00 0d 00 1e 00
    1c 04 03 05 03 06 03 08 07 08 08 08 09 08 04 08
    0a 08 05 08 0b 08 06 04 01 05 01 06 01 00 2b 00
    03 02 03 04 00 2d 00 02 01 01 00 33 00 26 00 24
    00 1d 00 20 b9 98 e3 2a 67 9a 16 cf e9 fc 43 63
    07 fe 27 0a 81 a5 5f 52 45 fd 31 47 e4 bc 43 15
    08 43 9f 47
<<< ??? [length 0005]
    15 03 03 00 02
<<< TLS 1.3, Alert [length 0002], fatal protocol_version
    02 46
140694587148096:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1544:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 217 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

relates to

LOG-3398 Apply TLSSecurityProfile settings to TLS listeners in log collectors