.NET 8 WebApi Experiences a TLS Handshake Error when running in a ubi8 FIPS-enabled container #54366
Closed
1 task done
Labels
area-networking
Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions
✔️ Resolution: Duplicate
Resolved as a duplicate of another issue
Status: Resolved
Is there an existing issue for this?
Describe the bug
When we run containerised .NET 8 WebApis (both custom and starter templates) over HTTPS in our OpenShift Cluster, which is FIPS-enabled, we experience a handshake error when trying to connect using TLSv1.3.
Example error we receive over CURL from a base WebApi template:
The error only occurs when the container is in FIPS mode, we can successfully host and connect to it on our local desktops (which aren't FIPS enabled), e.g.
A similar .NET 6 sample application behaves correctly in both above scenarios.
Expected Behavior
We would expect the connection in the FIPS-enabled environment to be successful, i.e. the same response as the example localhost connection.
If we replace the .NET 8 WebApis with .NET 6 sample WebApis, the handshake will successfully complete in the FIPS OpenShift Cluster.
Steps To Reproduce
I was able to recreate the issue locally through Podman + Podman Desktop.
The code is in this repo: https://github.com/KenMcC98/dotnet-webapp1-container
I've tried to keep it as straightforward and simple as I can, there is a bundled
README.md
which walks through steps to reproduce, and will require Podman (or Docker with minor filename/command changes).The repo contains a basic WebApi that targets .NET 6 and 8. To compare the scenarios described, it contains several containerfiles to simulate FIPS and non-FIPS containers which are spun up using a compose file.
FIPS mode is simulated for OpenSSL (which .NET uses) using the
OPENSSL_FORCE_FIPS_MODE=1
environment variable. This will enforce FIPS compliance for all RedHat distributions of OpenSSL (UBI8 and Fedora)The included README.md walks through the steps to recreate, summary of the readme steps:
podman-compose up
spawns:n8-wa1-ubi8
- .NET 8 on ubi8n6-wa1-ubi8
- .NET 6 on ubi8n8-wa1-fedora
- .NET 8 on Fedora 39n6-wa1-fedora
- .NET 6 on Fedora 39curl -kv https://localhost:<8081|8082|8083|8084|8085>/WeatherForecast
The
n8-wa1-*-fips
containers will experience the errors, with the others being successful.Exceptions (if any)
When inspecting the container logs, we find the following exception logged at the debug level when the error occurs:
.NET Version
8.0.102
Anything else?
When recreating the issue locally, I was using a Fedora 39 host machine. I installed podman and podman desktop to manage the containers. It does not require or mandate FIPS on the host, FIPS was simulated using the environment variable
OPENSSL_FORCE_FIPS_MODE=1
inside the containers.OpenSSL links:
OpenSSL FIPS - FIPS Module
RedHat OpenSSL Force-FIPS environment variable - Handling FIPS Mode in Upstream Projects
dotnet --info
from inside one of the containers used to recreate the issue:The text was updated successfully, but these errors were encountered: