Details
-
Bug
-
Resolution: Done
-
Critical
-
2.13.0 GA, 2.11.3 GA, 2.12.1 GA
-
False
-
None
-
False
-
Not Started
-
Not Started
-
Not Started
-
Not Started
-
Not Started
-
Not Started
-
-
- Deploy a backend that requires TLS v1.3.
- Example nginx.conf attached
- Configure 3scale product to point to deployed backend
- Send request to APIcast
- Observe Error in APIcast logs
- Deploy a backend that requires TLS v1.3.
-
Customer Escalated
Description
APIcast supports client->apicast connections using TLS v1.3 but when connecting to an upstream that requires a TLSv1.3 minimum it fails with the following error message:
2023/02/01 15:41:58 [error] 22#22: *5 SSL_do_handshake() failed (SSL: error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:SSL alert number 70) while SSL handshaking to upstream, client: 10.217.0.1, server: _, request: "GET /?user_key=<redacted> HTTP/1.1", upstream: "https://10.0.0.102:5000/?user_key=<redacted>", host: "<redacted>:5000"[01/Feb/2023:15:41:58 +0000] api-3scale-apicast-staging.<redacted>:8080 10.217.0.1:43558 "GET /?user_key=<redacted> HTTP/1.1" 502 154 (13.784) 0
It's important to note that the proxy_ssl_protocols directive can be configured via config map as described in the workaround, but this directive is not applied when using a forward proxy (e.g. APICAST_HTTPS_PROXY). There will need to be some investigation into the forward proxy code path to determine how to support vTLS 1.3 there.
Attachments
Issue Links
- links to
- mentioned on
