search

kumahq / kuma

🐻 The multi-zone service mesh for containers, Kubernetes and VMs. Built with Envoy. CNCF Sandbox Project.
https://kuma.io/install
Apache License 2.0
3.67k stars 333 forks source link

TLS error when using MeshExternalService with TLS 1.3 only #11985

Open slavogiez opened 2 weeks ago

slavogiez commented 2 weeks ago

What happened?

We would like to use MeshExternalService to access a server using HTTPS and supporting TLS 1.3 only.

The MES is declared this way :

apiVersion: kuma.io/v1alpha1
kind: MeshExternalService
metadata:
  name: tls13-only-site
  labels:
    kuma.io/mesh: xxx
spec:
  match:
    type: HostnameGenerator
    port: 80
    protocol: http
  endpoints:
    - address: tls13.1d.pw
      port: 443
  tls:
    enabled: true
    verification:
      serverName: tls13.1d.pw

When trying to access it with curl, we get this error : 

upstream connect error or disconnect/reset before headers. reset reason: remote connection failure, transport failure reason: TLS_error:|268436526:SSL routines:OPENSSL_internal:TLSV1_ALERT_PROTOCOL_VERSION:TLS_error_end:TLS_error_end
lukidzi commented 2 weeks ago

Hi. If the TLS version is not provided the default is TLS12. Based on the docs https://kuma.io/docs/2.9.x/networking/meshexternalservice/#tls you can specify TLS version. You could try:

apiVersion: kuma.io/v1alpha1
kind: MeshExternalService
metadata:
  name: tls13-only-site
  labels:
    kuma.io/mesh: xxx
spec:
  match:
    type: HostnameGenerator
    port: 80
    protocol: http
  endpoints:
    - address: tls13.1d.pw
      port: 443
  tls:
    version:
      min: TLS13
      max: TLS13
    enabled: true
    verification:
      serverName: tls13.1d.pw

Please let us know if it helps

We should check if we can do better here (maybe change max to 1.3 for the client?)

slavogiez commented 2 weeks ago

Hi, I also tested with versions enforced to TLS13 like in your exemple, but this wasn't working too.