Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Envoy Bootstrap Config Support TLSv1_3 #21777

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Envoy Bootstrap Config Support TLSv1_3 #21777

wants to merge 2 commits into from
+24 −0

Conversation

Ranjandas
Copy link
Contributor

@Ranjandas Ranjandas commented Sep 20, 2024
edited
Loading

Description

When the Consul agent runs with tls_min_version set to TLSv1_3, the Envoy proxies talking to the agent fails with the TLSV1_ALERT_PROTOCOL_VERSION error.

DeltaAggregatedResources gRPC config stream to local_agent closed since 97s ago: 14, upstream connect error or disconnect/reset before headers. reset reason: connection failure, transport failure reason: TLS error: 268436526:SSL routines:OPENSSL_internal:TLSV1_ALERT_PROTOCOL_VERSION

This PR updates the Envoy static local_agent cluster to use TLSv1_3 as the maximum protocol version.

Issue reported at: https://discuss.hashicorp.com/t/consul-tls-min-version-1-3-error/70100

Testing & Reproduction steps

  • Generate Consul CA and Certificates
$ consul tls ca create
$ consul tls cert create -server
  • Create Consul Configuration
$ cat <<EOF > consul.hcl
tls {
  defaults {
    ca_file   = "consul-agent-ca.pem"
    cert_file = "dc1-server-consul-0.pem"
    key_file  = "dc1-server-consul-0-key.pem"

    tls_min_version = "TLSv1_3"
  }
}

ports {
  grpc_tls = 8503
  https = 8501
  http = -1
}
EOF
  • Start a Consul agent
$ consul agent -dev -config-file consul.hcl
  • Set the Consul Environment Variables for the rest of the commands
export CONSUL_CACERT=./consul-agent-ca.pem
export CONSUL_HTTP_ADDR=https://127.0.0.1:8501
  • Start an Envoy proxy (we will launch a gateway to avoid service registrations)
$ consul connect envoy -gateway api -service api-gateway -register

This should work without throwing the reported error.

Alternatively, inspect the bootstrap config

$ consul connect envoy -gateway api -register -service api-gateway -bootstrap | jq '.static_resources.clusters[0].transport_socket.typed_config.common_tls_context.tls_params'
{
  "tls_maximum_protocol_version": "TLSv1_3"
}

Links

Fixes: #21767

PR Checklist

  • updated test coverage
  • external facing docs updated
  • appropriate backport labels added
  • not a security concern

@Ranjandas
Envoy Bootstrap Config Support TLSv1_3
509afb7 
When Consul agent runs with `tls_min_version` set to TLSv1_3, the Envoy proxies talking to the agent
fails with `TLSV1_ALERT_PROTOCOL_VERSION` error.

This PR updates the Envoy static local_agent cluster to have TLS maximum protocol version to use to be TLSv1_3.

Originally reported at: https://discuss.hashicorp.com/t/consul-tls-min-version-1-3-error/70100
@github-actions github-actions bot added the theme/cli Flags and documentation for the CLI interface label Sep 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hashi-derek hashi-derek Awaiting requested review from hashi-derek

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
theme/cli Flags and documentation for the CLI interface
Projects
None yet
Milestone
No milestone
1 participant
@Ranjandas