Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS 1.3 negotiating disallowed TLS_CHACHA20_POLY1305_SHA256 #4912

Closed
dweomer opened this issue Oct 18, 2023 · 1 comment
Closed

TLS 1.3 negotiating disallowed TLS_CHACHA20_POLY1305_SHA256 #4912

dweomer opened this issue Oct 18, 2023 · 1 comment
Milestone
DocumentationBacklog

Comments

@dweomer
Copy link
Contributor

dweomer commented Oct 18, 2023

Environmental Info:
RKE2 Version:

Node(s) CPU architecture, OS, and Version:

rke2 version v1.28.2+rke2r1 (7466261e4792e68baa2cc0c2afd3dcc929d72061)
go version go1.20.8 X:boringcrypto

Cluster Configuration:

  • single server (irrelevant)

Describe the bug:
When configuring the minimum TLS version to 1.3, specifying a subset of the FIPS-allowed cipher suites (possibly not relevant), a client connection from openssl s_client somehow negotiates a cipher of TLS_CHACHA20_POLY1305_SHA256.

Steps To Reproduce:

  • Configuration:
# /etc/rancher/rke2/config.yaml
kube-controller-manager-arg:
- tls-min-version=VersionTLS13
- tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
kube-scheduler-arg:
- tls-min-version=VersionTLS13
- tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
kube-apiserver-arg:
- tls-min-version=VersionTLS13
- tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • Installed RKE2:
curl -fsSL https://get.rke2.io | sudo env INSTALL_RKE2_CHANNEL=v1.28 bash -
sudo systemctl enable --now rke2-server

Expected behavior:

  • The TLS 1.2 connection negotiation should fail:
# openssl s_client -connect 10.43.0.1:443 -tls1_2
CONNECTED(00000003)
4077F596427F0000:error:0A00042E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../ssl/record/rec_layer_s3.c:1584:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 188 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1697664558
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
  • The TLS 1.3 connection negotiates one of the allowed AES ciphers.

Actual behavior:

  • The TLS 1.2 connection does fail (as above).
  • The TLS 1.3 connection negotiates TLS_CHACHA20_POLY1305_SHA256 which is not allowed via config:
# openssl s_client -connect 10.43.0.1:443 -tls1_3
CONNECTED(00000003)
Can't use SSL_get_servername
depth=1 CN = rke2-server-ca@1697663535
verify error:num=19:self-signed certificate in certificate chain
verify return:1
depth=1 CN = rke2-server-ca@1697663535
verify return:1
depth=0 CN = kube-apiserver
verify return:1
---
Certificate chain
 0 s:CN = kube-apiserver
   i:CN = rke2-server-ca@1697663535
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA256
   v:NotBefore: Oct 18 21:12:15 2023 GMT; NotAfter: Oct 17 21:12:15 2024 GMT
 1 s:CN = rke2-server-ca@1697663535
   i:CN = rke2-server-ca@1697663535
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA256
   v:NotBefore: Oct 18 21:12:15 2023 GMT; NotAfter: Oct 15 21:12:15 2033 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICITCCAcegAwIBAgIIarzz8obPiZkwCgYIKoZIzj0EAwIwJDEiMCAGA1UEAwwZ
cmtlMi1zZXJ2ZXItY2FAMTY5NzY2MzUzNTAeFw0yMzEwMTgyMTEyMTVaFw0yNDEw
MTcyMTEyMTVaMBkxFzAVBgNVBAMTDmt1YmUtYXBpc2VydmVyMFkwEwYHKoZIzj0C
AQYIKoZIzj0DAQcDQgAEgnFGcU+FBm1WeZYG2hXO7kWXaYfNeFUpcx66O6FRxu8B
wAINTC2i27P5sWZavUhyMOyXFPczsBzsGKRwymSj5qOB7TCB6jAOBgNVHQ8BAf8E
BAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHwYDVR0jBBgwFoAUYRwc0JV8C84h
9kykqE7vK6nZo/cwgaEGA1UdEQSBmTCBloIKa3ViZXJuZXRlc4ISa3ViZXJuZXRl
cy5kZWZhdWx0ghZrdWJlcm5ldGVzLmRlZmF1bHQuc3ZjgiRrdWJlcm5ldGVzLmRl
ZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWyCCWxvY2FsaG9zdIIHcmFuY2hlcocEfwAA
AYcQAAAAAAAAAAAAAAAAAAAAAYcEwKgFm4cECisAATAKBggqhkjOPQQDAgNIADBF
AiBUU2jsiWPw0cJi/wB4SO5tlolK0GlvmJkA5Vxr4rJ3bAIhAMMw4c8znW90KoPQ
5A6APaaOnvSGu2I3hOUjhRw2ZEWE
-----END CERTIFICATE-----
subject=CN = kube-apiserver
issuer=CN = rke2-server-ca@1697663535
---
Acceptable client certificate CA names
CN = rke2-client-ca@1697663535
CN = rke2-request-header-ca@1697663535
Requested Signature Algorithms: RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA384:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA384:ECDSA+SHA512
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1453 bytes and written 319 bytes
Verification error: self-signed certificate in certificate chain
---
New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 19 (self-signed certificate in certificate chain)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_CHACHA20_POLY1305_SHA256
    Session-ID: DA269FA788F08B8A71C6078582C7903DB6C7867D5E50F6F33089095BC95E9571
    Session-ID-ctx:
    Resumption PSK: 14489B02E1B4E06E982DF44A0807138204FE8B6654BFA46D76068748E73039A4
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 604800 (seconds)
    TLS session ticket:
    0000 - 17 9d ae 03 d7 ce 11 c4-c5 14 04 55 7f c8 e3 17   ...........U....
    0010 - f2 72 50 cb 37 8f 57 16-0e 0e 99 63 97 e1 b6 97   .rP.7.W....c....
    0020 - 4f 8b 88 2d 3f ab 98 7c-1a 43 13 77 1c 7c d3 fc   O..-?..|.C.w.|..
    0030 - 18 75 71 3b c4 a1 1a 13-df 91 22 e6 cc 4c a3 64   .uq;......"..L.d
    0040 - fb 9b 63 0a 0c 02 e2 c7-44 c5 8f ca 2a e1 9d 2e   ..c.....D...*...
    0050 - f0 fe e5 05 94 f2 10 37-a2 b0 ed c0 e4 5d c1 54   .......7.....].T
    0060 - 13 3f 74 02 5c 37 e1 5b-56 b7 cd fb b7 df 38 bd   .?t.\7.[V.....8.
    0070 - 34                                                4

    Start Time: 1697664569
    Timeout   : 7200 (sec)
    Verify return code: 19 (self-signed certificate in certificate chain)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
^C

Additional context / logs:

One assumes this will be resolved with FIPS 140-3 support from boringssl?
@dweomer dweomer changed the title TLS 1.3 negotiating TLS_CHACHA20_POLY1305_SHA256 TLS 1.3 negotiating disallowed TLS_CHACHA20_POLY1305_SHA256 Oct 18, 2023
@brandond
Copy link
Member

brandond commented Oct 18, 2023
edited
Loading

Golang intentionally does not allow configuration of cipher suites when using TLS 1.3. I feel like we should close this as WONTFIX given it is not something we can exert control over, as the discussion on that issue goes back 5 years without any change in stance.

@dweomer dweomer closed this as not planned Won't fix, can't repro, duplicate, stale Oct 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
DocumentationBacklog
Development

No branches or pull requests
2 participants
@brandond @dweomer