Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLSv1.3 issue in ETCD-3.5.5 #15152

Closed
IamSatyaonline opened this issue Jan 20, 2023 · 1 comment
Closed

TLSv1.3 issue in ETCD-3.5.5 #15152

IamSatyaonline opened this issue Jan 20, 2023 · 1 comment
Labels
type/bug

Comments

@IamSatyaonline
Copy link

IamSatyaonline commented Jan 20, 2023
edited
Loading

What happened?

ETCD-3.4.16 is supporting the TLSv1.3 but ETCD-3.5.5 is not supporting tlsv1.3. ETCD-3.5.5 supports tlsv1.2 only.Could you please help , how can we get the support of TLsv1.3 in ETCD-3.5.5.

What did you expect to happen?

TLsv1.3 support in ETCD-3.5.5.

How can we reproduce it (as minimally and precisely as possible)?

it's reproducible every time.

Anything else we need to know?

No response

Etcd version (please run commands below)

$ etcd --version
# paste output here

$ etcdctl version
# paste output here

bash-4.4$ etcd -version
etcd Version: 3.5.5
Git SHA: 19002cf
Go Version: go1.16.15
Go OS/Arch: linux/amd64

Etcd configuration (command line flags or environment variables)

paste your configuration here

Etcd debug information (please run commands below, feel free to obfuscate the IP address or FQDN in the output)

$ etcdctl member list -w table
# paste output here

$ etcdctl --endpoints=<member list> endpoint status -w table
# paste output here

Relevant log output

Test results of ETCD-3.4.16 for tlsv1.3:

bash-4.4$ openssl s_client -connect 127.0.0.1:2379
CONNECTED(00000003)
Can't use SSL_get_servername
depth=1 CN = key Internal Intermediate CA
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = etcd
verify return:1
---
Certificate chain
 0 s:CN = etcd
   i:CN = key Internal Intermediate CA
 1 s:CN = key Internal Intermediate CA
   i:CN = tls Internal Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MB4XDTIzMDEyMDEyMjcxM1oXDTIzMDEyMDEzMjc0M1owLzEt
MCsGA1UEAxMkZXJpYy1kYXRhLWRpc3RyaWJ1dGVkLWNvb3JkaW5hdG9yLWVkMFkw
EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBztJLgA+LpkZAwUj4xmmNFTOguVzVG6r
TEwtf0WXK0ybTGquNpftcizA/5wP4tO1b/EEGsudZYGNjYU2Sx84zqOCAgQwggIA
MB0GA1UdDgQWBBR6Z/lO6gK2IgZwrK5UB7wFpmyWWjAfBgNVHSMEGDAWgBRtKwbx
U7yH28hfDEjYtleOflww/jBWBggrBgEFBQcBAQRKMEgwRgYIKwYBBQUHMAKGOmh0
dHA6Ly8xM==
-----END CERTIFICATE-----
subject=CN = etcd

issuer=CN = key Internal Intermediate CA

---
Acceptable client certificate CA names
CN = etcd Internal Client CA
CN = tls Internal Root CA
Requested Signature Algorithms: RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA512:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA512:ECDSA+SHA512
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1999 bytes and written 403 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---
139744528736896:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:ssl/record/rec_layer_s3.c:1544:SSL alert number 42
===========================
Test results on ETCD-3.5.5 for tlsv1.3

bash-4.4$ openssl s_client -connect 127.0.0.1:2379
CONNECTED(00000003)
Can't use SSL_get_servername
depth=1 CN = key Internal Intermediate CA
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = etcd
verify error:num=10:certificate has expired
notAfter=Jan 20 10:58:01 2023 GMT
verify return:1
depth=0 CN = etcd
notAfter=Jan 20 10:58:01 2023 GMT
verify return:1
139764543695872:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:ssl/record/rec_layer_s3.c:1544:SSL alert number 42
---
Certificate chain
 0 s:CN = etcd
   i:CN = key Internal Intermediate CA
 1 s:CN = key Internal Intermediate CA
   i:CN = tls Internal Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
VudC1z
dWItY2EvY2EwggExBgNVHREEggEoMIIBJIIkZXJpYy1kYXRhLWRpc3RyaWJ1dGVk
LWNvb3JkaW5hdG9yLWVkgixlcmljLWRhdGEtZGlzdHJpYnV0ZWQtY29vcmRpbmF0
b3ItZWQuenRpc3NhboIwZXJpYy1kYXRhLWRpc3RyaWJ1dGVkLWNvb3JkaW5hdG9y
LWVkLnp0aXNzYW4uc3Zjgj5lcmljLWRhdGEtZGlzdHJpYnV0ZWQtY29vcmRpbmF0
b3ItZWQuenRpc3Nhbi5zdmMuY2x1c3Rlci5sb2NhbIJDZXJpYy1kYXRhLWRpc3Ry
aWJ1dGVkLWNvb3J
-----END CERTIFICATE-----
subject=CN = etcd

issuer=CN = key Internal Intermediate CA

---
Acceptable client certificate CA names
CN = etcd Internal Client CA
CN = tls Internal Root CA
Client Certificate Types: RSA sign, ECDSA sign
Requested Signature Algorithms: RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA384:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA384:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1807 bytes and written 406 bytes
Verification error: certificate has expired
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES256-GCM-SHA384
    Session-ID:
    Session-ID-ctx:
    Master-Key: 90144AB8401DEB181C4BD0ACA1B7CAA65762374188251DE0260465CC8B045D524900B4D3371BAE6A8F87FB75C8D38867
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1674219715
    Timeout   : 7200 (sec)
    Verify return code: 10 (certificate has expired)
    Extended master secret: no
---
@serathius
Copy link
Member

Duplicates #13506

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/bug
Milestone
No milestone
Development

No branches or pull requests
2 participants
@serathius @IamSatyaonline