[JBoss JIRA] (WFLY-11007) Using OpenShift generated certificates and client auth cause TLS errors
by Sebastian Laskawiec (Jira)
[ https://issues.jboss.org/browse/WFLY-11007?page=com.atlassian.jira.plugin... ]
Sebastian Laskawiec edited comment on WFLY-11007 at 3/28/19 10:42 AM:
----------------------------------------------------------------------
Unfortunately I'm having some difficulties extracting the reproducer. Even when I export the list of CA Certificates, it works without any problems when using {{docker run -v...}} options. So there must be something that OpenShift does extra in this use case. I guess the only way to reproduce it locally is to use {{oc cluster up}}.
I also updated the steps to reproduce to make it a bit easier for you [~iankko][~mchoma].
was (Author: sebastian.laskawiec):
Unfortunately I'm having some difficulties extracting the reproducer. Even when I export the list of CA Certificates, it works without any problems when using {{docker run -v...}} options. So there must be something that OpenShift does extra in this use case. I guess the only way to reproduce it locally is to use {{oc cluster up}}.
> Using OpenShift generated certificates and client auth cause TLS errors
> -----------------------------------------------------------------------
>
> Key: WFLY-11007
> URL: https://issues.jboss.org/browse/WFLY-11007
> Project: WildFly
> Issue Type: Bug
> Components: Security, Web (Undertow)
> Affects Versions: 13.0.0.Final
> Reporter: Sebastian Laskawiec
> Assignee: Stuart Douglas
> Priority: Major
>
> h2. Summary
> It seems that when using OpenShift generated certificates and client auth (with {{want-client-auth="true"}}) the TLS handshake fails with {{RECV TLSv1.2 ALERT: fatal, record_overflow}} message.
> h2. Explanation
> I'm using {{oc cluster up}} and deploying Keycloak (WF 13 based) on OpenShift local cluster using the (1) template. The service in the the template uses OpenShift generated certificates ({{"service.alpha.openshift.io/serving-cert-secret-name": "keycloak-x509-https-secret"}}). Both files are mounted in the Keycloak pod and translated into keystore and truststore (see the configuration after the transformation (2)). Once the pod is up and running, I'm issuing a {{curl}} command as shown in (3). {{curl}} fails saying that {{* error:1408F092:SSL routines:ssl3_get_record:data length too long}}. The server logs with TLS Handshake debugging turned on might be found here (4). As shown in the link, the server has written {{16384}} bytes.
> I also did a test with manually created certificates (5). The result might be found here (6). As shown in the link, we've written {{16050}} bytes instead of {{16384}} and the handshake was successful.
> h2. Possible solution
> Perhaps we should cut the list CAs transmitted by the server when asking for client auth when it exceeds certain number of bytes. It would be helpful to write a warn message too.
> Links:
> - (1) Keycloak OCP Template https://gist.github.com/slaskawi/57ed810a7109a02a9d884b61ce2e7f13
> - (2) Transformed configuration https://gist.github.com/slaskawi/92aead6c519b867621129b640b4a3c88
> - (3) curl command https://gist.github.com/slaskawi/3bc32b8e96c2499cb7b48c3c5cb28616
> - (4) https://gist.github.com/slaskawi/b6477fe3cd65890c879cfe6f95359450#file-lo...
> - (5) Keycloak and OpenShift integration demo https://github.com/keycloak/openshift-integration/blob/master/install-key...
> - (6) https://gist.github.com/slaskawi/7fd87e1f2e6c4faf657d9e8289ed3392#file-lo...
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
5 years, 1 month
[JBoss JIRA] (WFLY-11007) Using OpenShift generated certificates and client auth cause TLS errors
by Sebastian Laskawiec (Jira)
[ https://issues.jboss.org/browse/WFLY-11007?page=com.atlassian.jira.plugin... ]
Sebastian Laskawiec edited comment on WFLY-11007 at 3/28/19 10:39 AM:
----------------------------------------------------------------------
[~mchoma] So far I've checked:
- Adding {{-Djsse.SSLEngine.acceptLargeFragments=true}}, didn't help, the error message is the same.
- Adding {{-Djsse.enableMFLNExtension=true -Djsse.SSLEngine.acceptLargeFragments=true}}, didn't help either.
Let me try to create a reproducer for you.
was (Author: sebastian.laskawiec):
So far I've checked:
- Adding {{-Djsse.SSLEngine.acceptLargeFragments=true}}, didn't help, the error message is the same.
- Adding {{-Djsse.enableMFLNExtension=true -Djsse.SSLEngine.acceptLargeFragments=true}}, didn't help either.
Let me try to create a reproducer for you.
> Using OpenShift generated certificates and client auth cause TLS errors
> -----------------------------------------------------------------------
>
> Key: WFLY-11007
> URL: https://issues.jboss.org/browse/WFLY-11007
> Project: WildFly
> Issue Type: Bug
> Components: Security, Web (Undertow)
> Affects Versions: 13.0.0.Final
> Reporter: Sebastian Laskawiec
> Assignee: Stuart Douglas
> Priority: Major
>
> h2. Summary
> It seems that when using OpenShift generated certificates and client auth (with {{want-client-auth="true"}}) the TLS handshake fails with {{RECV TLSv1.2 ALERT: fatal, record_overflow}} message.
> h2. Explanation
> I'm using {{oc cluster up}} and deploying Keycloak (WF 13 based) on OpenShift local cluster using the (1) template. The service in the the template uses OpenShift generated certificates ({{"service.alpha.openshift.io/serving-cert-secret-name": "keycloak-x509-https-secret"}}). Both files are mounted in the Keycloak pod and translated into keystore and truststore (see the configuration after the transformation (2)). Once the pod is up and running, I'm issuing a {{curl}} command as shown in (3). {{curl}} fails saying that {{* error:1408F092:SSL routines:ssl3_get_record:data length too long}}. The server logs with TLS Handshake debugging turned on might be found here (4). As shown in the link, the server has written {{16384}} bytes.
> I also did a test with manually created certificates (5). The result might be found here (6). As shown in the link, we've written {{16050}} bytes instead of {{16384}} and the handshake was successful.
> h2. Possible solution
> Perhaps we should cut the list CAs transmitted by the server when asking for client auth when it exceeds certain number of bytes. It would be helpful to write a warn message too.
> Links:
> - (1) Keycloak OCP Template https://gist.github.com/slaskawi/57ed810a7109a02a9d884b61ce2e7f13
> - (2) Transformed configuration https://gist.github.com/slaskawi/92aead6c519b867621129b640b4a3c88
> - (3) curl command https://gist.github.com/slaskawi/3bc32b8e96c2499cb7b48c3c5cb28616
> - (4) https://gist.github.com/slaskawi/b6477fe3cd65890c879cfe6f95359450#file-lo...
> - (5) Keycloak and OpenShift integration demo https://github.com/keycloak/openshift-integration/blob/master/install-key...
> - (6) https://gist.github.com/slaskawi/7fd87e1f2e6c4faf657d9e8289ed3392#file-lo...
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
5 years, 1 month