-
Bug
-
Resolution: Obsolete
-
Blocker
-
Logging 5.6.0
-
False
-
-
False
-
NEW
-
NEW
Version of components:
cluster-logging.v5.6.0
elasticsearch-operator.v5.6.0
Server Version: 4.11.0-0.nightly-2022-10-08-131055
Kubernetes Version: v1.24.0+dc5a2fd
Description of the problem:
Fluentd metrics with min TLS version set to 1.2 does not support TLS v1.3.
Steps to reproduce the issue:
*Create a cluster logging instance with Fluentd as collector.
*By default the OpenSSL conf used by Fluentd should use intermediate tlsSecurityProfile and minTLSVersion 1.2.
oc exec collector-dgt4m -- cat /etc/fluent/configs.d/user/openssl.cnf | grep -iE "ciphersuites|minprotocol" Defaulted container "collector" out of: collector, logfilesmetricexporter MinProtocol = TLSv1.2 CipherSuites = TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES256-GCM-SHA384
*Check connection to collector metrics endpoint for Fluentd. With TLS v1.3 the connection fails while with TLS v1.2 the connection is successful.
sh-4.4$ openssl s_client -tls1_3 -CAfile /run/secrets/kubernetes.io/serviceaccount/service-ca.crt -connect collector:24231 CONNECTED(00000003) 140527477638976:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1544:SSL alert number 70 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 217 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- sh-4.4$ openssl s_client -tls1_2 -CAfile /run/secrets/kubernetes.io/serviceaccount/service-ca.crt -connect collector:24231 CONNECTED(00000003) Can't use SSL_get_servername depth=1 CN = openshift-service-serving-signer@1665633507 verify return:1 depth=0 CN = collector.openshift-logging.svc verify return:1 --- Certificate chain 0 s:CN = collector.openshift-logging.svc i:CN = openshift-service-serving-signer@1665633507 1 s:CN = openshift-service-serving-signer@1665633507 i:CN = openshift-service-serving-signer@1665633507 --- Server certificate -----BEGIN CERTIFICATE----- MIID7TCCAtWgAwIBAgIIA9eHxamq5oYwDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE Awwrb3BlbnNoaWZ0LXNlcnZpY2Utc2VydmluZy1zaWduZXJAMTY2NTYzMzUwNzAe Fw0yMjEwMTMwNjUzNDZaFw0yNDEwMTIwNjUzNDdaMCoxKDAmBgNVBAMTH2NvbGxl Y3Rvci5vcGVuc2hpZnQtbG9nZ2luZy5zdmMwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQCrTUsTGr45INtOXO9fxHjZSYDV5+F0CpGq0H8RHjJ8tUKcbXE4 KYHg8T2yKZ9QCqHkeYcaC07B3k7ty8ZifBnDlCS0vzjWa50SwYvaKkEPVNvAuBq/ y/SGViVk8ic5Ivp2UjcaGAJ0jyTAIVylAoS/OpSJBjeb18mrHrIU0zGDM3HB70+m En07sE4v2VSxEADQVNs+ELpgM6RUL/NN/y/Wymrco1pdnPHOHcUcZ6chyhymUqiB hgKHca1Wjk7dftTPWrmtfhAOHVx9S/vJmG6dmUgV+N2enKIDZcDCtvfcvT4LCJ6t FuJXjkBWUN9/ToVZhYvWXYZROrxQXM3mdoePAgMBAAGjggEJMIIBBTAOBgNVHQ8B Af8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNV HQ4EFgQUgjON3WIQ8jQJipDKXAXtVWkBuGswHwYDVR0jBBgwFoAUMeiSWAOUv/Pw eQ6jN8qXC3thFtMwWQYDVR0RBFIwUIIfY29sbGVjdG9yLm9wZW5zaGlmdC1sb2dn aW5nLnN2Y4ItY29sbGVjdG9yLm9wZW5zaGlmdC1sb2dnaW5nLnN2Yy5jbHVzdGVy LmxvY2FsMDUGCysGAQQBkggRZAIBBCYTJDkwOGJhYWFiLTU0ZTQtNGUzNS05Mzlm LTg3MWI4NDZmMmIwNjANBgkqhkiG9w0BAQsFAAOCAQEAfevvs8tACbCOxa6GtJ1T 8jx2SbS01ScPi5Ieh/8vhgSXdjSNj9Rm2sD0mSuZt53QWo6y1qJ4mz0aczfVubpR gsrr0rG5Z+wi3jF+C/9sNJmyre7C0agdoCCXp67tocR9gWN3byEWrDwF5BfdWzAa 19zzilmamkBj1SkpFFbWbWDr5us25Icakw0GjtD8T4fBisfB7wS82Rh07ymg1eYY De8ZuRXUgy+TN9igrL5K0mNtiXAGE5fwjgY2S9FFGvNWQtQSYQmYAgRsScZgI8b2 pooUigb2QoiPv5l+zXVq2rDKh7rq73qUhHZPFR3YrRoUDPu0mYUw6d6ps7BrfYIC uQ== -----END CERTIFICATE----- subject=CN = collector.openshift-logging.svcissuer=CN = openshift-service-serving-signer@1665633507--- No client certificate CA names sent Client Certificate Types: RSA sign, DSA sign, ECDSA sign Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1:DSA+SHA224:DSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512 Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1 Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 2553 bytes and written 297 bytes Verification: OK --- New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 04979E8D4B8FFF3B1D75D2C98739ED9A331542523B2F416EA34BFD407B10DA8C Session-ID-ctx: Master-Key: 57B6A1D1F88420197211309ECE7D5FC78083EBE393DF77F53FC41E11EF3CB2E1B2D22F50E9E47BE24BB718562BA2A8FE PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - c5 0b 3c 12 0b 36 ac 4d-00 56 2a b1 de be d6 be ..<..6.M.V*..... 0010 - d6 9a 9b 9d 7d bb 5a 04-3f 73 e0 a5 ae f6 83 6e ....}.Z.?s.....n 0020 - 97 ce de a0 db 43 9f 08-68 4d 2a 1f e0 53 8b d4 .....C..hM*..S.. 0030 - 1f ce d9 c2 f4 67 45 70-19 df 77 f0 fa bf 1d 64 .....gEp..w....d 0040 - 90 37 3c 63 8b 4e 0c 2c-f5 d3 66 f1 dd 6b c6 24 .7<c.N.,..f..k.$ 0050 - c8 3a da b4 ff 08 8b 4e-fc a0 9a 17 02 18 0d 76 .:.....N.......v 0060 - d2 4a fc 37 6e fc f5 9a-c6 a2 61 ec 5e 29 5b 55 .J.7n.....a.^)[U 0070 - 0d 4d 9d 09 dc b7 cd 72-df 2b e7 90 18 62 3b df .M.....r.+...b;. 0080 - 1c 99 a8 f2 2b 95 db 33-f9 1d ae 3b fb 27 af e6 ....+..3...;.'.. 0090 - cc ca 80 95 4e aa b2 b7-3c 7e de e8 c0 3f f0 4a ....N...<~...?.J Start Time: 1665653375 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: yes ---
Additional notes:
OpenSSL connection with -msg parameter.
sh-4.4$ openssl s_client -tls1_3 -CAfile /run/secrets/kubernetes.io/serviceaccount/service-ca.crt -connect collector:24231 -msg
CONNECTED(00000003)
>>> ??? [length 0005]
16 03 01 00 d4
>>> TLS 1.3, Handshake [length 00d4], ClientHello
01 00 00 d0 03 03 78 07 82 47 04 34 ea 24 dc d8
27 15 c5 7d e8 69 33 f2 b6 15 d2 27 07 3c 02 74
08 00 79 a3 6d 9b 20 ba a8 a6 92 a0 51 bc a8 75
34 70 e4 42 5c 47 a9 cd 9e d0 83 41 f3 99 35 9b
2f 39 87 27 e2 1c 83 00 0a 13 02 13 03 13 01 13
04 00 ff 01 00 00 7d 00 0b 00 04 03 00 01 02 00
0a 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00
23 00 00 00 16 00 00 00 17 00 00 00 0d 00 1e 00
1c 04 03 05 03 06 03 08 07 08 08 08 09 08 04 08
0a 08 05 08 0b 08 06 04 01 05 01 06 01 00 2b 00
03 02 03 04 00 2d 00 02 01 01 00 33 00 26 00 24
00 1d 00 20 54 fb 2b 88 48 73 a1 75 34 c6 c7 27
db 07 c6 f3 aa d2 25 26 29 78 f6 40 92 f0 e5 55
db ea ae 0e
<<< ??? [length 0005]
15 03 03 00 02
<<< TLS 1.3, Alert [length 0002], fatal protocol_version
02 46
140315445065536:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1544:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 217 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
- relates to
-
LOG-3398 Apply TLSSecurityProfile settings to TLS listeners in log collectors
-
- Closed
-
