Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: 2.14.0 GA
Affects Version/s: 2.13.0 GA, 2.11.3 GA, 2.12.1 GA
Component/s: Gateway
Labels:
- 2.14-to-test
- TLS
- triaged

Blocked:
False
Blocked Reason:
None
Ready:
False
3Scale PT Tested upstream:
Not Started
3scale PT Docs:
Not Started
3scale PT Product Specs:
Not Started
3scale PT Product Update Ready:
Not Started
3scale PT Released In Saas:
Not Started
3scale PT Verified Product:
Not Started
Target Release:

2.14.0 GA
Workaround Description:

Hide

Partial Workaround: https://access.redhat.com/solutions/6996365

However it does not work when using a forward proxy.

Show
Partial Workaround: https://access.redhat.com/solutions/6996365 However it does not work when using a forward proxy.
Git Pull Request:
https://github.com/3scale/APIcast/pull/1400
Steps to Reproduce:
- Deploy a backend that requires TLS v1.3.
  - Example nginx.conf attached
- Configure 3scale product to point to deployed backend
- Send request to APIcast
- Observe Error in APIcast logs
Intelligence Requested:
Market:

Customer Impact:

Customer Escalated

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

APIcast supports client->apicast connections using TLS v1.3 but when connecting to an upstream that requires a TLSv1.3 minimum it fails with the following error message:

2023/02/01 15:41:58 [error] 22#22: *5 SSL_do_handshake() failed (SSL: error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:SSL alert number 70) while SSL handshaking to upstream, client: 10.217.0.1, server: _, request: "GET /?user_key=<redacted> HTTP/1.1", upstream: "https://10.0.0.102:5000/?user_key=<redacted>", host: "<redacted>:5000"[01/Feb/2023:15:41:58 +0000] api-3scale-apicast-staging.<redacted>:8080 10.217.0.1:43558 "GET /?user_key=<redacted> HTTP/1.1" 502 154 (13.784) 0

It's important to note that the proxy_ssl_protocols directive can be configured via config map as described in the workaround, but this directive is not applied when using a forward proxy (e.g. APICAST_HTTPS_PROXY). There will need to be some investigation into the forward proxy code path to determine how to support vTLS 1.3 there.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

nginx.conf
2023/02/01 4:24 PM
0.5 kB
Shannon Poole

links to

APIcast fails to connect to upstreams that require TLS v1.3

mentioned on

Merge request - Updated US source to: e851732 Merge pull request #1400 from 3scale/THREESCALE-9193-upstream-tlsv1.3

Assignee:: Unassigned

Reporter:: Shannon Poole

Tester:: Dominik Hlavac Duran

Developer:: Eguzki Astiz Lezaun

Votes:: 1 Vote for this issue

Watchers:: 10 Start watching this issue

Created:: 2023/02/01 4:20 PM

Updated:: 2024/07/17 3:45 AM

Resolved:: 2023/12/15 12:43 PM

Details

Description

Attachments

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates