search

alpinelinux / docker-alpine

Official Alpine Linux Docker image. Win at minimalism!
MIT License
1.04k stars 261 forks source link

Error "SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:ssl/statem/extensions.c:893" #294

Open wheestermans31 opened 1 year ago

wheestermans31 commented 1 year ago

From time to time when using the Alpine 3.16 and 3.17 images I have the ollowing errors:

21-Dec-2022 18:48:29 fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/main/x86_64/APKINDEX.tar.gz 21-Dec-2022 18:48:29 48FB6CE0A07F0000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:ssl/statem/extensions.c:893: 21-Dec-2022 18:48:29 ERROR: https://dl-cdn.alpinelinux.org/alpine/v3.17/main: Permission denied 21-Dec-2022 18:48:29 WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.17/main: No such file or directory 21-Dec-2022 18:48:29 fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/community/x86_64/APKINDEX.tar.gz 21-Dec-2022 18:48:30 48FB6CE0A07F0000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:ssl/statem/extensions.c:893:

As said we don't have this all the time, it happens from time to time on an 'apk add'

I found this information about the error:

This error means that you are running as a client attempting to connect to a server that has not been patched against CVE-2009-3555. Connection attempts to servers that do not support secure renegotiation (the mitigation against that CVE) are now aborted by default in OpenSSL 3.0.

Is this an issue on https://dl-cdn.alpinelinux.org? Or should we lok at something locally on our side? Proxy or firewall?

PAXANDDOS commented 1 year ago

Hey, @wheestermans31 did you find a solution?

I'm having the same issue rn and have tried everything - resultless. Some say that repos should be referenced with HTTP, not HTTPS, didn't help. Then I thought it could be my Pi-hole, turning it off didn't help either. It worked on my system before, all I did is changed my physical location and it may be my home router (or provider?), but I hardly believe it, it has nothing special configured.

Reproduction steps for me:

  1. Have Windows 11 22H2 with Docker Desktop v4.15.0
  2. docker run --rm -it --entrypoint sh alpine:3.17
  3. Inside the container: apk add nano (or anything else) image

I've just asked my friend to build the image for me (everything works on his side for some reason), and I will continue like that 😵

djarnis73 commented 1 year ago

I'm seeing this as well. We are behind a corporate firewall that does deep inspection by using its own certificate. I have tried to add the certificate to the system certs:

FROM alpine:3.17

# manually add corp ca cert to system ca certs.
# we put the chain as individual files into /usr/local/share/ca-certificates/ so update-ca-certificates automatically
# picks them up when other certs are added by apk
COPY corp-ca-*.crt  /usr/local/share/ca-certificates/
RUN cat /usr/local/share/ca-certificates/corp-ca-*.crt >> /etc/ssl/certs/ca-certificates.crt

RUN apk update && apk add ca-certificates

It works with 3.16 but with 3.17 it fails with:

docker build .
[+] Building 1.9s (8/8) FINISHED
 => [internal] load build definition from Dockerfile
 => => transferring dockerfile:
 => [internal] load .dockerignore
 => => transferring context:
 => [internal] load metadata for docker.io/library/alpine:3.17
 => [internal] load build context
 => => transferring context:
 => [1/4] FROM docker.io/library/alpine:3.17@sha256:f271e74b17ced29b915d351685fd4644785c6d1559dd1f2d4189a5e851ef753a
 => CACHED [2/4] COPY corp-ca-*.crt  /usr/local/share/ca-certificates/
 => CACHED [3/4] RUN cat /usr/local/share/ca-certificates/corp-ca-*.crt >> /etc/ssl/certs/ca-certificates.crt
 => ERROR [4/4] RUN apk update && apk add ca-certificates
------
 > [4/4] RUN apk update && apk add ca-certificates:
#8 0.175 fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/main/x86_64/APKINDEX.tar.gz
#8 0.395 fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/community/x86_64/APKINDEX.tar.gz
#8 0.734 v3.17.0-356-g3207313590 [https://dl-cdn.alpinelinux.org/alpine/v3.17/main]
#8 0.734 v3.17.1-1-gb4f5674396 [https://dl-cdn.alpinelinux.org/alpine/v3.17/community]
#8 0.734 OK: 17813 distinct packages available
#8 1.010 (1/1) Installing ca-certificates (20220614-r4)
#8 1.059 48FBCEE4967F0000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:ssl/statem/extensions.c:893:
#8 1.060 ERROR: ca-certificates-20220614-r4: Permission denied
#8 1.061 1 error; 7 MiB in 15 packages
------
executor failed running [/bin/sh -c apk update && apk add ca-certificates]: exit code: 1
PAXANDDOS commented 1 year ago

It's been a month and I'm back at my place trying to build an image again. Same error. BUT... It works with VPN! I can't think of any firewall inside my house only my Raspberry Pi with Pi-hole but I've used it at my other place and everything worked fine... So it should be something in the router... or provider? I just wonder if anyone can advise something, please.