Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Envoy Bootstrap Config Support TLSv1_3 #27

Open
4 tasks
dhiaayachi opened this issue Sep 25, 2024 · 0 comments
Open
4 tasks

Envoy Bootstrap Config Support TLSv1_3 #27

dhiaayachi opened this issue Sep 25, 2024 · 0 comments

Comments

@dhiaayachi
Copy link
Owner

Description

When the Consul agent runs with tls_min_version set to TLSv1_3, the Envoy proxies talking to the agent fails with the TLSV1_ALERT_PROTOCOL_VERSION error.

DeltaAggregatedResources gRPC config stream to local_agent closed since 97s ago: 14, upstream connect error or disconnect/reset before headers. reset reason: connection failure, transport failure reason: TLS error: 268436526:SSL routines:OPENSSL_internal:TLSV1_ALERT_PROTOCOL_VERSION

This PR updates the Envoy static local_agent cluster to use TLSv1_3 as the maximum protocol version.

Issue reported at: https://discuss.hashicorp.com/t/consul-tls-min-version-1-3-error/70100

Testing & Reproduction steps

  • Generate Consul CA and Certificates
$ consul tls ca create
$ consul tls cert create -server
  • Create Consul Configuration
$ cat <<EOF > consul.hcl
tls {
  defaults {
    ca_file   = "consul-agent-ca.pem"
    cert_file = "dc1-server-consul-0.pem"
    key_file  = "dc1-server-consul-0-key.pem"

    tls_min_version = "TLSv1_3"
  }
}

ports {
  grpc_tls = 8503
  https = 8501
  http = -1
}
EOF
  • Start a Consul agent
$ consul agent -dev -config-file consul.hcl
  • Set the Consul Environment Variables for the rest of the commands
export CONSUL_CACERT=./consul-agent-ca.pem
export CONSUL_HTTP_ADDR=https://127.0.0.1:8501
  • Start an Envoy proxy (we will launch a gateway to avoid service registrations)
$ consul connect envoy -gateway api -service api-gateway -register

This should work without throwing the reported error.

Alternatively, inspect the bootstrap config

$ consul connect envoy -gateway api -register -service api-gateway -bootstrap | jq '.static_resources.clusters[0].transport_socket.typed_config.common_tls_context.tls_params'
{
  "tls_maximum_protocol_version": "TLSv1_3"
}

Links

Fixes: hashicorp#21767

PR Checklist

  • updated test coverage
  • external facing docs updated
  • appropriate backport labels added
  • not a security concern
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dhiaayachi