search

cloudflare / cfssl

CFSSL: Cloudflare's PKI and TLS toolkit
https://cfssl.org/
BSD 2-Clause "Simplified" License
8.77k stars 1.11k forks source link

http: TLS handshake error from <ip:port> : tls: oversized record received with length 21536 #898

Open Manoj2087 opened 6 years ago

Manoj2087 commented 6 years ago

****

At the signing server side

****

cat > signing-server.json <<EOF { "signing": { "default": { "auth_key": "default", "expiry": "43800h", "usages": [ "signing", "key encipherment", "client auth", "server auth" ] } }, "auth_keys": { "default": { "key": "", "type": "standard" } } } EOF

cat > multiroot-profile.ini <<EOF [default] private = file://ca.key certificate = ca.crt config = signing-server.json EOF

multirootca \ -a 0.0.0.0:8888 \ -l default \ -roots multiroot-profile.ini \ -tls-cert signing-server.crt \ -tls-key signing-server.key

2018/05/22 22:25:07 [INFO] loaded signer default 2018/05/22 22:25:07 [INFO] Now listening on https:// 0.0.0.0:8888

****

At the client

****

cat > config-client.json <<EOF {
"auth_keys" : { "default" : { "type" : "standard", "key" : "" } }, "signing" : { "default" : { "auth_remote" : { "remote" : "default", "auth_key" : "default" } } }, "remotes" : { "default" : ":8888" } } EOF

echo '{"CN":"my-new","key":{"algo":"rsa","size":2048}}' | \ cfssl gencert \ -config=config-client.json \ -hostname=my-new \ -tls-remote-ca ca.crt \ -profile=default - | \ cfssljson -bare my-new

while executing the above getting the below output

2018/05/23 01:20:36 [INFO] generate received request 2018/05/23 01:20:36 [INFO] received CSR 2018/05/23 01:20:36 [INFO] generating key: rsa-2048 2018/05/23 01:20:37 [INFO] encoded CSR 2018/05/23 01:20:37 [INFO] Using trusted CA from tls-remote-ca: ca.crt {"code":7400,"message":"failed POST to http://:8888/api/v1/cfssl/authsign: Post http://:8888/api/v1/cfssl/authsign: net/http: HTTP/1.x transport connection broken: malformed HTTP response \"\x15\x03\x01\x00\x02\x02\x16\""} Failed to parse input: unexpected end of JSON input

At the signing server gettignt he below error

http: TLS handshake error from :: tls: oversized record received with length 21536

This seems to be only happening when the multirootca is configured with TLS -tls-cert and -tls-key

cfssl version

Version: 1.3.2 Revision: dev Runtime: go1.10.2

dchote commented 6 years ago

I just resolved this. You need to change your remote server to use an https URI format https://SERVERIP:PORT