-
Bug
-
Resolution: Obsolete
-
Blocker
-
Logging 5.6.0
-
False
-
-
False
-
NEW
-
NEW
Version of components:
cluster-logging.v5.6.0
elasticsearch-operator.v5.6.0
Server Version: 4.11.0-0.nightly-2022-10-08-131055
Kubernetes Version: v1.24.0+dc5a2fd
Description of the problem:
Logfile metrics exporter with min TLS version set to 1.2 can be connected with TLS v1.1
Steps to reproduce the issue:
*Create a cluster logging instance.
*Check connection to logfile metrics exporter endpoints.
sh-4.4$ openssl s_client -tls1_1 -CAfile /run/secrets/kubernetes.io/serviceaccount/service-ca.crt -connect collector:2112 CONNECTED(00000003) Can't use SSL_get_servername depth=1 CN = openshift-service-serving-signer@1665541076 verify return:1 depth=0 CN = collector.openshift-logging.svc verify return:1 --- Certificate chain 0 s:CN = collector.openshift-logging.svc i:CN = openshift-service-serving-signer@1665541076 1 s:CN = openshift-service-serving-signer@1665541076 i:CN = openshift-service-serving-signer@1665541076 --- Server certificate -----BEGIN CERTIFICATE----- MIID7TCCAtWgAwIBAgIIPi3AOR6YQqUwDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE Awwrb3BlbnNoaWZ0LXNlcnZpY2Utc2VydmluZy1zaWduZXJAMTY2NTU0MTA3NjAe Fw0yMjEwMTIwNDM1MjFaFw0yNDEwMTEwNDM1MjJaMCoxKDAmBgNVBAMTH2NvbGxl Y3Rvci5vcGVuc2hpZnQtbG9nZ2luZy5zdmMwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQDAVzWa/AzK+Mlh+jlFyR94fjxnwTceHstmJyWfNhFmTFxNfJ3j 1Wn141raJFWL9V1n6HT9XlrYzkBO23A1RsKyS5DSbolhOwLJR+yFzRkcjQrocWaG txuBag6ExBV3qqgoqz5ralSrcKTZORGNBm9H3qHexpGBpKBsuNBOvsNm2L0Bjcns 51djBvH68PXvpTXAGUEAyz5zoNrO/XNsvARZOF8E8ubkX+sNPUF1WuX2El28anPg R3Dt2FUhQPhCItGamMFIAIWCSn1eNtSNGObv+u4fKsJPigWwzO4I1cN/IOb/5TzM MXdxKlMJY7iwfZfKkNWDqFmBkJWad7LR+OIfAgMBAAGjggEJMIIBBTAOBgNVHQ8B Af8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNV HQ4EFgQUY9l7o2vDb+CWdcAU3+KiYGxBeSEwHwYDVR0jBBgwFoAUkVeKey9wLEvm Kn4NFkvf59e7sMswWQYDVR0RBFIwUIIfY29sbGVjdG9yLm9wZW5zaGlmdC1sb2dn aW5nLnN2Y4ItY29sbGVjdG9yLm9wZW5zaGlmdC1sb2dnaW5nLnN2Yy5jbHVzdGVy LmxvY2FsMDUGCysGAQQBkggRZAIBBCYTJDdhYjdkMmQ1LTZmMGUtNDNhMC1iYzk4 LWZlODU5ZGFiNjAxYzANBgkqhkiG9w0BAQsFAAOCAQEAaz1Ci408Ggco9GIL1WMn AC26lLWp3Yq0rhJt//lxh9pj0PSm97mb8n85JnNAqkDjUnFOlYhaFTYjO2gArM1D WH0McsRhn9t02JACja38W7P/R/jbqfGigudbav/f63v0LDabqldvAorLoDdsChI+ 7Om3VT2jWDxN0XDdq0W5kAT8Q0BTmmCZOtbCDhsysPbYfZdLlWN12xYhqKVgCdry 2X1JZxPXZdORpMJ3qVveiBv1vmyYozcX7C+ewzdBlYUKgzYLTrzEhyV27RNEwgZR eLDv+uuXiSGTypAZXhWptu/ZVHlYIoYacu9QSbkaHkSu0hflGO8OLnJRkAqYj144 zg== -----END CERTIFICATE----- subject=CN = collector.openshift-logging.svcissuer=CN = openshift-service-serving-signer@1665541076--- No client certificate CA names sent Peer signing digest: MD5-SHA1 Peer signature type: RSA Server Temp Key: X25519, 253 bits --- SSL handshake has read 2475 bytes and written 221 bytes Verification: OK --- New, TLSv1.0, Cipher is ECDHE-RSA-AES128-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.1 Cipher : ECDHE-RSA-AES128-SHA Session-ID: 2CC85AAC1F58BDBD8360C23C3C0BBE991E35AF055505C6C79B53EA4CC4FDA117 Session-ID-ctx: Master-Key: 1DD9D244AAD099221DD4477B571D0D234D1E1AA150A58D76201042202AD99BC6B133C1FD03EBC7ABBF7AE7727A215BD7 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket: 0000 - 84 e2 cf de b3 09 dd 6b-dc af 20 ef 61 1f c1 9a .......k.. .a... 0010 - e9 23 ea 0e eb 35 0d c4-b9 af d3 91 81 75 11 fb .#...5.......u.. 0020 - d0 42 31 87 1c ef 88 67-c0 51 8d 58 57 4d 4b 64 .B1....g.Q.XWMKd 0030 - 27 1e f4 26 78 39 f4 fe-ee ce 86 c0 9a 9e e5 78 '..&x9.........x 0040 - 97 28 4a fe ab af ba a9-c8 2c 1e 1b 55 b9 33 03 .(J......,..U.3. 0050 - 71 bb 86 d6 a7 6e 44 94-e9 fd f9 b5 f1 0b 32 ca q....nD.......2. 0060 - e6 73 da 27 37 d0 f4 b0-2f be b8 6c 0b 15 30 06 .s.'7.../..l..0. 0070 - 6e 15 b0 e7 d6 c8 af c7-2c 91 c4 07 5e d1 31 10 n.......,...^.1. 0080 - e1 . Start Time: 1665550748 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no --- sh-4.4$ openssl s_client -tls1_2 -CAfile /run/secrets/kubernetes.io/serviceaccount/service-ca.crt -connect collector:2112 CONNECTED(00000003) Can't use SSL_get_servername depth=1 CN = openshift-service-serving-signer@1665541076 verify return:1 depth=0 CN = collector.openshift-logging.svc verify return:1 --- Certificate chain 0 s:CN = collector.openshift-logging.svc i:CN = openshift-service-serving-signer@1665541076 1 s:CN = openshift-service-serving-signer@1665541076 i:CN = openshift-service-serving-signer@1665541076 --- Server certificate -----BEGIN CERTIFICATE----- MIID7TCCAtWgAwIBAgIIPi3AOR6YQqUwDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE Awwrb3BlbnNoaWZ0LXNlcnZpY2Utc2VydmluZy1zaWduZXJAMTY2NTU0MTA3NjAe Fw0yMjEwMTIwNDM1MjFaFw0yNDEwMTEwNDM1MjJaMCoxKDAmBgNVBAMTH2NvbGxl Y3Rvci5vcGVuc2hpZnQtbG9nZ2luZy5zdmMwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQDAVzWa/AzK+Mlh+jlFyR94fjxnwTceHstmJyWfNhFmTFxNfJ3j 1Wn141raJFWL9V1n6HT9XlrYzkBO23A1RsKyS5DSbolhOwLJR+yFzRkcjQrocWaG txuBag6ExBV3qqgoqz5ralSrcKTZORGNBm9H3qHexpGBpKBsuNBOvsNm2L0Bjcns 51djBvH68PXvpTXAGUEAyz5zoNrO/XNsvARZOF8E8ubkX+sNPUF1WuX2El28anPg R3Dt2FUhQPhCItGamMFIAIWCSn1eNtSNGObv+u4fKsJPigWwzO4I1cN/IOb/5TzM MXdxKlMJY7iwfZfKkNWDqFmBkJWad7LR+OIfAgMBAAGjggEJMIIBBTAOBgNVHQ8B Af8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNV HQ4EFgQUY9l7o2vDb+CWdcAU3+KiYGxBeSEwHwYDVR0jBBgwFoAUkVeKey9wLEvm Kn4NFkvf59e7sMswWQYDVR0RBFIwUIIfY29sbGVjdG9yLm9wZW5zaGlmdC1sb2dn aW5nLnN2Y4ItY29sbGVjdG9yLm9wZW5zaGlmdC1sb2dnaW5nLnN2Yy5jbHVzdGVy LmxvY2FsMDUGCysGAQQBkggRZAIBBCYTJDdhYjdkMmQ1LTZmMGUtNDNhMC1iYzk4 LWZlODU5ZGFiNjAxYzANBgkqhkiG9w0BAQsFAAOCAQEAaz1Ci408Ggco9GIL1WMn AC26lLWp3Yq0rhJt//lxh9pj0PSm97mb8n85JnNAqkDjUnFOlYhaFTYjO2gArM1D WH0McsRhn9t02JACja38W7P/R/jbqfGigudbav/f63v0LDabqldvAorLoDdsChI+ 7Om3VT2jWDxN0XDdq0W5kAT8Q0BTmmCZOtbCDhsysPbYfZdLlWN12xYhqKVgCdry 2X1JZxPXZdORpMJ3qVveiBv1vmyYozcX7C+ewzdBlYUKgzYLTrzEhyV27RNEwgZR eLDv+uuXiSGTypAZXhWptu/ZVHlYIoYacu9QSbkaHkSu0hflGO8OLnJRkAqYj144 zg== -----END CERTIFICATE----- subject=CN = collector.openshift-logging.svcissuer=CN = openshift-service-serving-signer@1665541076--- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 2453 bytes and written 285 bytes Verification: OK --- New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 52A1E8CB53D1F9708E27A9D94D5F846FCD7402144FDCDD83F470FF5D928BA5B6 Session-ID-ctx: Master-Key: B2F571A0BAEA64577EBC861F9DF94FD1C3A39008C6A2758325CE35023D414B4C4043BC5016B3C64745A7A705E9B7874D PSK identity: None PSK identity hint: None SRP username: None TLS session ticket: 0000 - 29 a4 27 66 3c 44 36 04-52 38 8e b4 af 7b fb ec ).'f<D6.R8...{.. 0010 - 7a 59 ae 09 ed 0d 29 1c-a0 b9 7e ae b7 45 f5 0d zY....)...~..E.. 0020 - 63 28 26 20 6c 6d b0 4d-9b 1c 89 9d 91 a7 8a 0d c(& lm.M........ 0030 - d4 41 23 8e 2b e2 10 cc-45 5d c4 7f 15 a8 45 22 .A#.+...E]....E" 0040 - 68 21 fc b2 39 11 c1 46-de 3f 6c e4 e0 ef 3d d9 h!..9..F.?l...=. 0050 - d4 e4 f6 e8 d8 41 f9 76-ee dc 36 d1 de 71 54 f4 .....A.v..6..qT. 0060 - df 9d b2 29 40 3f c7 3a-6e 09 05 96 95 e1 e0 2b ...)@?.:n......+ 0070 - 25 f3 56 0b 14 30 10 c9-ee 47 30 96 2f b8 19 5a %.V..0...G0./..Z 0080 - 95 . Start Time: 1665550766 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no ---
Check that we can connect using TLS v1.1 . By default the TLS version must be set accroding to intermediate tlsSecurityProfile with minTLS version 1.2. Also the logfile metrics exporter must comply with the global tlsSecurityProfile set in apiserver/cluster.
- relates to
-
LOG-3398 Apply TLSSecurityProfile settings to TLS listeners in log collectors
-
- Closed
-
