search

minio / sidekick

High Performance HTTP Sidecar Load Balancer
GNU Affero General Public License v3.0
546 stars 82 forks source link

TLSv1.0/1.1 connections do not complete, but handshakes still occur #68

Closed aglahe closed 1 year ago

aglahe commented 2 years ago

It appears that Sidekick, at least in version 2.0.3, while it doesn't allow the connection to complete, it does allow a TLS1.0/1.1 handshake to occur.

Expected Behavior

Performing: curl https://sidekick.local:9000 --verbose --tlsv1.0 --tls-max 1.1

using explicitly TLS1.0/1.1 versions, it shouldn't allow any connection as well as the handshakes between the client and sidekick give the Go Pkg being used is: https://pkg.go.dev/crypto/tls

Currently, when doing this to a minio server directly, you get the expected: curl: (35) Peer reports incompatible or unsupported protocol version.

Current Behavior

Described below in steps to reproduce

Possible Solution

Not sure.

Steps to Reproduce (for bugs)

  1. curl https://_sidekick-server:port_ --verbose --tlsv1.0 --tls-max 1.1
  • (304) (OUT), TLS handshake, Client hello (1):
  • (304) (IN), TLS handshake, Server hello (2):
  • TLSv1.1 (IN), TLS handshake, Certificate (11):
  • TLSv1.1 (IN), TLS handshake, Server key exchange (12):
  • TLSv1.1 (IN), TLS handshake, Server finished (14):
  • TLSv1.1 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.1 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.1 (OUT), TLS handshake, Finished (20):
  • TLSv1.1 (IN), TLS change cipher, Change cipher spec (1):
  • TLSv1.1 (IN), TLS handshake, Finished (20):
  • SSL connection using TLSv1.1 / ECDHE-RSA-AES128-SHA ...
  • Empty reply from server
  • Closing connection 0
  • TLSv1.1 (IN), TLS alert, close notify (256):
  • TLSv1.1 (OUT), TLS alert, close notify (256): curl: (52) Empty reply from server

Context

https://minio.slack.com/archives/C3NDUB8UA/p1661973913050299

Regression

Not sure, haven't tested on older versions.

Your Environment

harshavardhana commented 2 years ago

sidekick doesn't support TLS v1.0 or v1.1

using explicitly TLS1.0/1.1 versions, it shouldn't allow any connection as well as the handshakes between the client and sidekick give the Go Pkg being used is: https://pkg.go.dev/crypto/tls

We rely on Go's standard net/http here so whatever is being done is done by net/http

aglahe commented 2 years ago

So, in reading this from that pkg: 

// MinVersion contains the minimum TLS version that is acceptable.
//
// By default, TLS 1.2 is currently used as the minimum when acting as a
// client, and TLS 1.0 when acting as a server. TLS 1.0 is the minimum
// supported by this package, both as a client and as a server.
//
// The client-side default can temporarily be reverted to TLS 1.0 by
// including the value "x509sha1=1" in the GODEBUG environment variable.
// Note that this option will be removed in Go 1.19 (but it will still be
// possible to set this field to VersionTLS10 explicitly).
MinVersion [uint16](https://pkg.go.dev/builtin#uint16)

If I'm reading this correctly, it looks like the default min version for server is 1.0...but, I could be reading this incorrectly.

aglahe commented 2 years ago

I mean, I see this in the code:

MinVersion: tls.VersionTLS12,

I'll keep digging.

harshavardhana commented 1 year ago

Doesn't feel like sidekick issue anymore.