Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TLS fails due to multiple handshake messages #134

Closed
frederichenry opened this issue Apr 28, 2022 · 2 comments
Closed

TLS fails due to multiple handshake messages #134

frederichenry opened this issue Apr 28, 2022 · 2 comments
Labels
question Usability question, not directly related to an error with the image

Comments

@frederichenry
Copy link

frederichenry commented Apr 28, 2022

If we try to do a wget to an internal server we always get a connection issue.

/prometheus $ wget https://www.internalsite.be
Connecting to www.internalsite.be (x.x.x.x:443)
wget: note: TLS certificate validation not implemented
wget: got bad TLS record (len:337) while expecting certificate
16 03 03 01 51 0c 00 01 49 03 00 17 41 04 cd 3a bf 8e 36 06 e0 b4 4f b6 0a 59 75 aa 1d 21 7b 11 04 b0 f9 70 80 6a 6d a0 c4 6f d2 d9 61 90 ba f5 e7 ef bc e6 64 92 48 2a 04 e1 56 b5 bb f4 3e 34 ab 4c 48 3c b4 e7 49 ab 8b 0c 76 33 61 76 02 01 01 00 8d 29 14 5b 0a 00 3a f3 77 ed 51 ff bc 3a 81 a8 42
wget: error getting response: Connection reset by peer

If we try to do a wget to another https website everything works correctly.

While debugging via wireshark we see the following

92 18.058981001 x.x.x.x x.x.x.x TLSv1.2 592 Server Hello, Certificate
94 18.071352760 x.x.x.x x.x.x.x TLSv1.2 396 Server Key Exchange, Server Hello Done
96 18.071934144 x.x.x.x x.x.x.x TCP 54 54202 → 443 [FIN, ACK] Seq=99 Ack=3321 Win=63440 Len=0

Both TLS messages are Multiple Handshake Messages.

It seems like it is only processing the Server Hello and only in the next message it checks for the Certificate. As this message only contains Server Key Exchange and Server Hello done, the certificate can't be found

@wglambert wglambert added the question Usability question, not directly related to an error with the image label Apr 28, 2022
@wglambert
Copy link

It could be an oddity with Busybox's version of wget. I'd try it with the one from debian:bullseye-slim

If you use Alpine's it's going to be the same Busybox variant

$ docker run --rm alpine wget --help
BusyBox v1.34.1 (2022-04-04 10:19:27 UTC) multi-call binary.

@tianon
Copy link
Member

tianon commented May 10, 2022

See also #80 -- I definitely do not recommend using the busybox image with TLS. You'll have a much better (and more secure) experience with alpine or installing wget or curl in Debian or Ubuntu (see also buildpack-deps:bullseye-curl).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Usability question, not directly related to an error with the image
Projects
None yet
Development

No branches or pull requests

3 participants