Upgrade TLS version used to connect to registry & blob backend

containerd / overlaybd

Overlaybd: a block based remote image format. The storage backend of containerd/accelerated-container-image.

Apache License 2.0

259 stars 58 forks source link

Upgrade TLS version used to connect to registry & blob backend #314

Open tianouya-db opened 9 months ago

tianouya-db commented 9 months ago

What is the version of your Overlaybd

0.6.17

What would you like to be added?

Upgrade the TLS version to 1.2+.

We found that overlaybd is using TLS v1 to talk to registry & blob backend. We've seen transient failures with S3 that failed on TLS handshake timeout. Can we configure overlaybd to use TLS v1.2+?

Why is this needed for Overlaybd?

Support TLS version 1.2+ in overlaybd.

Are you willing to submit PRs to contribute to this feature?

[ ] Yes, I am willing to implement it.

Coldwings commented 9 months ago

Overlaybd using curl wrapper in LibPhotonOS for registryfs and SSL wrapper for registryfs_v2, both of two implementation are already have TLSv1.2 supported.

In registryfs (which is default registry connect implementation in overlaybd 0.6.17 and all versions that < 1.0.2), the default LTS version is decided by libcurl that linked.

In registryfs_v2 (default in overlaybd >= 1.0.2), https access using TLS v1.2

The reason why S3 reported TLS handshake timeout may not because of protocol version, could you provided more details of that condition?

tianouya-db commented 8 months ago

@Coldwings thanks for the response.

A brief context is we see net/http: TLS handshake timeout on requests to S3. We captured the traffic and saw the failed handshakes used TLSv1. We then inspected the traffic from our node, and found overlaybd-tcmu process seems to be sending the traffic: TLSv1 583 Client Hello.

In registryf, he default LTS version is decided by libcurl that linked.

Do we know the default version by any chance? Meanwhile, I can try upgrading to 1.0.2+, and see if it helps.