Bug: Connection to MSO with tls1.3 fails

[edudppaz]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.5.6

MSO version

• V 4.2.1d

APIC version and APIC Platform for Site Level Resources

• V x.x.x and on-prem/cloud-aws/cloud-azure/all.

Affected Resource(s)

• All

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

Debug Output

Error: Post "***/login": remote error: tls: handshake failure

Panic Output

Expected Behavior

Coonnection is established

Actual Behavior

SSL connection failure

Steps to Reproduce

1. terraform apply

Important Factoids

Seems like the mso-go-client doesnt have the tLS v1.3 enabled, which makes all connections that need an Algorithm not supported by tls1.2 fail:

https://github.com/ciscoecosystem/mso-go-client/blob/b46bf097889c24f278cc96be69c7a5bde04dce09/client/client.go#L153

func (c *Client) useInsecureHTTPClient(insecure bool) *http.Transport {
    transport := &http.Transport{
        TLSClientConfig: &tls.Config{
            CipherSuites: []uint16{
                tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
                tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
                tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
                tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
                tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
            },
            PreferServerCipherSuites: true,
            InsecureSkipVerify:       insecure,
            MinVersion:               tls.VersionTLS11,
            MaxVersion:               tls.VersionTLS12,
        },
    }

    return transport
}

The same certificate and signing algorithm does work with the aci-go-client as that client does have tls1.3 enabled:

        MaxVersion:               tls.VersionTLS13,

References

• 0000

[shrsr]

@edudppaz Thank you for opening the issue. Our team will look into this!