search

cloudflare / pingora

A library for building fast, reliable and evolvable network services.
Apache License 2.0
20.21k stars 1.1k forks source link

How to enable tls 1.1 #278

Closed vicanso closed 1 week ago

vicanso commented 2 weeks ago

Describe the bug

I use set_min_proto_version to set min proto version tls1.1. Then the log of tls_settings.min_proto_version() is SslVersion(770).

However, When I set --tls-max 1.1 for curl, tls handshake fail.

curl 'https://charts.npmtrend.com/stats' -v --tls-max 1.1
* Host charts.npmtrend.com:443 was resolved.
* IPv6: (none)
* IPv4: 47.107.66.241
*   Trying 47.107.66.241:443...
* Connected to charts.npmtrend.com (47.107.66.241) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version
* Closing connection
curl: (35) LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version

And the pingora debug log:

DEBUG 2024-06-13T21:17:41.626730947+08:00 Setting tcp keepalive
DEBUG 2024-06-13T21:17:41.626793712+08:00 new ssl session
DEBUG 2024-06-13T21:17:41.642064484+08:00 Dropping socket BufStream { inner: BufReader { reader: BufWriter { writer: Tcp(PollEvented { io: Some(TcpStream { addr: 172.18.230.75:443, peer: 223.104.76.202:21051, fd: 45 }) }), buffer: 0/1460, written: 0 }, buffer: 0/65536 } }
ERROR 2024-06-13T21:17:41.642136755+08:00 Downstream handshake error  TLSHandshakeFailure context: TLS accept() failed: error:0A000102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1755:

Pingora info

Please include the following information about your environment:

Pingora version: 31d7b63ed7e3a1595903bca3680e130fe90e05a0 Rust version: i.e. cargo 1.78.0 (54d8815d0 2024-03-26) Operating system version: messense/rust-musl-cross:x86_64-musl

Steps to reproduce

Please provide step-by-step instructions to reproduce the issue. Include any relevant code snippets.

Expected results

What were you expecting to happen?

Observed results

What actually happened?

Additional context

What other information would you like to provide? e.g. screenshots, how you're working around the issue, or other clues you think could be helpful to identify the root cause.

eaufavor commented 1 week ago

By default https://docs.rs/pingora/0.2.0/pingora/listeners/struct.TlsSettings.html creates a TLS server setting that does not support TLSv1.1. According to https://wiki.mozilla.org/Security/Server_Side_TLS, you have to adjust your TLS settings to allow TLSv1.1, including the cipher, security level, ssl options as well as tmp_dh. It is cumbersome but using TLSv1.1 is discouraged.

The following works

    // generated from openssl dhparam 1024
    const DH: &str = "
-----BEGIN DH PARAMETERS-----
MIGHAoGBAOEz2IYhQ3IuU28X51BBS+o/s01zOdEaYCbIuiHOQTlviuKwWDiIPFqz
uxt2N265LnDYf1/vSO2E/m7XP1H5UEA4gtJ0J6FhyH9bgF0UHbAyzrwyFR4CboCn
Yskm+g1ZVWDyRs8UO2niPbp7LrmtN6tdWK0RXeqwcxVEJOwijK6XAgEC
-----END DH PARAMETERS-----";
    tls_settings.set_security_level(0);
    tls_settings.clear_options(pingora::tls::ssl::SslOptions::NO_TLSV1_1);
    // we only put TLSv1 cipher here to test
    tls_settings
        .set_cipher_list("ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA")
        .unwrap();
    let dh = openssl::dh::Dh::params_from_pem(DH.as_bytes()).unwrap();
    tls_settings.set_tmp_dh(&dh).unwrap();
    tls_settings
        .set_min_proto_version(Some(pingora::tls::ssl::SslVersion::TLS1_1))
        .unwrap();
vicanso commented 1 week ago

Thanks