Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Envoy Bootstrap Config Support TLSv1_3 #27

Open
4 tasks
dhiaayachi opened this issue Sep 25, 2024 · 0 comments
Open
4 tasks

Envoy Bootstrap Config Support TLSv1_3 #27

dhiaayachi opened this issue Sep 25, 2024 · 0 comments

Comments

@dhiaayachi
Copy link
Owner

Description

When the Consul agent runs with tls_min_version set to TLSv1_3, the Envoy proxies talking to the agent fails with the TLSV1_ALERT_PROTOCOL_VERSION error.

DeltaAggregatedResources gRPC config stream to local_agent closed since 97s ago: 14, upstream connect error or disconnect/reset before headers. reset reason: connection failure, transport failure reason: TLS error: 268436526:SSL routines:OPENSSL_internal:TLSV1_ALERT_PROTOCOL_VERSION

This PR updates the Envoy static local_agent cluster to use TLSv1_3 as the maximum protocol version.

Issue reported at: https://discuss.hashicorp.com/t/consul-tls-min-version-1-3-error/70100

Testing & Reproduction steps

  • Generate Consul CA and Certificates
$ consul tls ca create
$ consul tls cert create -server
  • Create Consul Configuration
$ cat <<EOF > consul.hcl
tls {
  defaults {
    ca_file   = "consul-agent-ca.pem"
    cert_file = "dc1-server-consul-0.pem"
    key_file  = "dc1-server-consul-0-key.pem"

    tls_min_version = "TLSv1_3"
  }
}

ports {
  grpc_tls = 8503
  https = 8501
  http = -1
}
EOF
  • Start a Consul agent
$ consul agent -dev -config-file consul.hcl
  • Set the Consul Environment Variables for the rest of the commands
export CONSUL_CACERT=./consul-agent-ca.pem
export CONSUL_HTTP_ADDR=https://127.0.0.1:8501
  • Start an Envoy proxy (we will launch a gateway to avoid service registrations)
$ consul connect envoy -gateway api -service api-gateway -register

This should work without throwing the reported error.

Alternatively, inspect the bootstrap config

$ consul connect envoy -gateway api -register -service api-gateway -bootstrap | jq '.static_resources.clusters[0].transport_socket.typed_config.common_tls_context.tls_params'
{
  "tls_maximum_protocol_version": "TLSv1_3"
}

Links

Fixes: hashicorp#21767

PR Checklist

  • updated test coverage
  • external facing docs updated
  • appropriate backport labels added
  • not a security concern
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dhiaayachi