Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot forward request to backend which cipher suites that are compatible with TLS 1.0 or TLS 1.1 like TLS_RSA_WITH_AES_128_CBC_SHA256 #176

Closed
raycw opened this issue Dec 21, 2022 · 4 comments
Labels
bug Something isn't working

Comments

@raycw
Copy link

raycw commented Dec 21, 2022

Report

Self-hosted gateway (docker) fails to forward requests to the backend with SSL handshake error.

Backend like https://www.cargosmart.com is using TLS_RSA_WITH_AES_128_CBC_SHA256. When I request an API which forwards requests to the backend, the gateway will return HTTP 500 with the message "Internal server error". Even though I provided TLS_RSA_WITH_AES_128_CBC_SHA256 in net.client.tls.ciphers.allowed-suites, it still error.

Checked with dotnet SDK document, it should due to the container .NET doesn't include any cipher suites that are compatible with TLS 1.0 or TLS 1.1, these older protocol versions are effectively disabled by default.

I executed bash in the container and created an openssl.sec1.cnf with below content and export OPENSSL_CONF=/app/openssl.sec1.cnf according to dotnet/runtime#44191 (comment), it works now.

openssl_conf = openssl_init

[openssl_init]
ssl_conf = ssl_config

[ssl_config]
system_default = tls_defaults

[tls_defaults]
CipherString = DEFAULT:@SECLEVEL=1	

Expected Behavior

Returns HTTP 200 with proper payload

Actual Behavior

Returns HTTP 500 with below payload

{
    "activityId": "545405e0-12b0-4c88-a509-0ab7ead44dcd",
    "message": "Internal server error",
    "statusCode": 500
}

Steps to Reproduce the Problem

  1. docker run -d -p 80:8080 -p 443:8081 --name xxxx --env-file env.conf mcr.microsoft.com/azure-api-management/gateway:v2
  2. curl -vvv https://localhost:443/api-portal/apis/ -k

Logs from self-hosted gateway

[Warn] 2022-12-21T06:21:03.132 [FailedToProcessRequest], apiId: api-portal, operationId: wildcardget, tags: 20, httpMethod: GET, source: request-forwarder, exception: System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
 ---> Interop+OpenSsl+SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL.
 ---> Interop+Crypto+OpenSslCryptographicException: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
   --- End of inner exception stack trace ---
   at Interop.OpenSsl.DoSslHandshake(SafeSslHandle context, ReadOnlySpan`1 input, Byte[]& sendBuf, Int32& sendCount)
   at System.Net.Security.SslStreamPal.HandshakeInternal(SafeFreeCredentials credential, SafeDeleteSslContext& context, ReadOnlySpan`1 inputBuffer, Byte[]& outputBuffer, SslAuthenticationOptions sslAuthenticationOptions)
   --- End of inner exception stack trace ---
   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
   at DotNetty.Common.Utilities.TaskUtil.MakeCancellable(Task task, CancellationToken cancellationToken) in D:\a\1\s\Proxy\SpanNetty\src\DotNetty.Common\Utilities\TaskEx.cs:line 544
   at Gateway.Http.Client.DotNetty.TcpChannelFactory.CreateChannelAsync(IPEndPoint endpoint, RequestedApplicationProtocol requestedApplicationProtocol, TlsInfo tlsMetadata, HttpProxy httpProxyMetadata, Int32 destinationPort, CancellationToken cancellationToken) in D:\a\1\s\Proxy\Gateway.Http.Client.DotNetty\TcpChannelFactory.cs:line 102
   at Gateway.Http.Client.DotNetty.EndpointPool.CreateAsyncInternal(IPipelineContext pipelineContext, ChannelPoolKey channelPoolKey, RequestedApplicationProtocol requestedApplicationProtocol, CancellationToken cancellationToken, GateInfo gateInfo) in D:\a\1\s\Proxy\Gateway.Http.Client.DotNetty\EndpointPool.cs:line 303
   at Gateway.Http.Client.DotNetty.EndpointPool.CreateAsync(IPipelineContext pipelineContext, ChannelPoolKey channelPoolKey, RequestedApplicationProtocol requestedApplicationProtocol, CancellationToken cancellationToken) in D:\a\1\s\Proxy\Gateway.Http.Client.DotNetty\EndpointPool.cs:line 124
   at Gateway.Http.Client.DotNetty.SingleThreadedBackendChannelPool.AcquireAsync(IPipelineContext context, CancellationToken cancellationToken) in D:\a\1\s\Proxy\Gateway.Http.Client.DotNetty\SingleThreadedBackendChannelPool.cs:line 159
   at Gateway.Http.Client.DotNetty.RoundRobinBackendChannelPool.Acquire0(Object state) in D:\a\1\s\Proxy\Gateway.Http.Client.DotNetty\RoundRobinBackendChannelPool.cs:line 73
   at Gateway.Http.Client.DotNetty.DotNettyHttpBackend.TrackLatency[T](ValueTask`1 task, IPipelineContext ctx) in D:\a\1\s\Proxy\Gateway.Http.Client.DotNetty\DotNettyHttpBackend.cs:line 647
   at Gateway.Http.Client.DotNetty.DotNettyHttpBackend.ProcessAsync(IPipelineContext context, CancellationToken cancellation) in D:\a\1\s\Proxy\Gateway.Http.Client.DotNetty\DotNettyHttpBackend.cs:line 119
   at Microsoft.WindowsAzure.ApiManagement.Proxy.Gateway.Policies.PipelineWalker.ExecuteAsync(IPipelineContext context, IEnumerable`1 steps, CancellationToken cancellation) in D:\a\1\s\Proxy\Gateway.Pipeline\PipelineWalker.cs:line 49
   at Microsoft.WindowsAzure.ApiManagement.Proxy.Gateway.ChildPipeline.ExecuteAsync(IPipelineContext context, CancellationToken cancellationToken) in D:\a\1\s\Proxy\Gateway.Pipeline\ChildPipeline.cs:line 35
   at Gateway.Pipeline.Extensions.ValueTaskExtensions.Await[T](ValueTask`1 input) in D:\a\1\s\Proxy\Gateway.Pipeline\Extensions\ValueTaskExtensions.cs:line 29
   at Microsoft.WindowsAzure.ApiManagement.Proxy.Gateway.Policies.IO.CallServiceHandler.ProcessAsync(IPipelineContext context, CancellationToken cancellation) in D:\a\1\s\Proxy\Gateway.Policies.General\IO\CallServiceHandler.cs:line 68
   at Microsoft.WindowsAzure.ApiManagement.Proxy.Gateway.Policies.PipelineWalker.ExecuteAsync(IPipelineContext context, IEnumerable`1 steps, CancellationToken cancellation) in D:\a\1\s\Proxy\Gateway.Pipeline\PipelineWalker.cs:line 49
   at Microsoft.WindowsAzure.ApiManagement.Proxy.Gateway.ChildPipeline.ExecuteAsync(IPipelineContext context, CancellationToken cancellationToken) in D:\a\1\s\Proxy\Gateway.Pipeline\ChildPipeline.cs:line 35
   at Gateway.Pipeline.Extensions.ValueTaskExtensions.Await[T](ValueTask`1 input) in D:\a\1\s\Proxy\Gateway.Pipeline\Extensions\ValueTaskExtensions.cs:line 29
   at Microsoft.WindowsAzure.ApiManagement.Proxy.Gateway.Policies.PipelineWalker.ExecuteAsync(IPipelineContext context, IEnumerable`1 steps, CancellationToken cancellation) in D:\a\1\s\Proxy\Gateway.Pipeline\PipelineWalker.cs:line 49
   at Microsoft.WindowsAzure.ApiManagement.Proxy.Gateway.PipelineExecutor.ExecuteAsync(IPipelineContext context, CancellationToken cancellationToken) in D:\a\1\s\Proxy\Gateway.Pipeline\PipelineExecutor.cs:line 204, transportError: 0, httpError: 0, correlationId: 545405e0-12b0-4c88-a509-0ab7ead44dcd

Self-hosted Gateway Version

v2

Deployment

Docker (Compose)

Platform

None

Kubernetes Version

None

Anything else?

https://learn.microsoft.com/en-us/azure/api-management/self-hosted-gateway-overview#available-cipher-suites is contradict with https://learn.microsoft.com/en-us/dotnet/core/compatibility/cryptography/5.0/default-cipher-suites-for-tls-on-linux

@raycw raycw added the bug Something isn't working label Dec 21, 2022
@tomkerkhove
Copy link
Member

Thanks for reporting, however, would you mind opening a support ticket to track this please?

@raycw
Copy link
Author

raycw commented Dec 22, 2022

I have created a support ticket, should I close this issue?

@tomkerkhove
Copy link
Member

I'll keep it open until it is fixed. THanks for reporting.

@tomkerkhove
Copy link
Member

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
Development

No branches or pull requests

2 participants