[JBoss JIRA] (WFLY-11007) Using OpenShift generated certificates and client auth cause TLS errors

Thursday, 28 March 2019



    [
https://issues.jboss.org/browse/WFLY-11007?page=com.atlassian.jira.plugin...
] 

Martin Choma commented on WFLY-11007:
-------------------------------------

I have followed your reproducer on OCP 3.11 and I don't see this error:
{code}
curl -vk https://10.128.0.37:8443/auth
* About to connect() to 10.128.0.37 port 8443 (#0)
*   Trying 10.128.0.37...
* Connected to 10.128.0.37 (10.128.0.37) port 8443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS: client certificate not found (nickname not specified)
* SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA256
* Server certificate:
* 	subject: CN=keycloak.default.svc
* 	start date: Mar 28 14:49:47 2019 GMT
* 	expire date: Mar 27 14:49:48 2021 GMT
* 	common name: keycloak.default.svc
* 	issuer: CN=openshift-service-serving-signer@1553780535
...
 GET /auth HTTP/1.1
 User-Agent: curl/7.29.0
 Host: 10.128.0.37:8443
 Accept: */*
  < HTTP/1.1 303 See Other
< Connection: keep-alive
< Location: https://10.128.0.37:8443/auth/
< Content-Length: 0
< Date: Thu, 28 Mar 2019 14:51:45 GMT
< 
* Connection #0 to host 10.128.0.37 left intact
{code}

...
 Using OpenShift generated certificates and client auth cause TLS
errors
 -----------------------------------------------------------------------

                 Key: WFLY-11007
                 URL: https://issues.jboss.org/browse/WFLY-11007
             Project: WildFly
          Issue Type: Bug
          Components: Security, Web (Undertow)
    Affects Versions: 13.0.0.Final
            Reporter: Sebastian Laskawiec
            Assignee: Stuart Douglas
            Priority: Major

 h2. Summary
 It seems that when using OpenShift generated certificates and client auth (with
{{want-client-auth="true"}}) the TLS handshake fails with {{RECV TLSv1.2 ALERT: 
fatal, record_overflow}} message.
 h2. Explanation
 I'm using {{oc cluster up}} and deploying Keycloak (WF 13 based) on OpenShift local
cluster using the (1) template. The service in the the template uses OpenShift generated
certificates ({{"service.alpha.openshift.io/serving-cert-secret-name":
"keycloak-x509-https-secret"}}). Both files are mounted in the Keycloak pod and
translated into keystore and truststore (see the configuration after the transformation
(2)). Once the pod is up and running, I'm issuing a {{curl}} command as shown in (3).
{{curl}} fails saying that {{* error:1408F092:SSL routines:ssl3_get_record:data length too
long}}. The server logs with TLS Handshake debugging turned on might be found here (4). As
shown in the link, the server has written {{16384}} bytes. 
 I also did a test with manually created certificates (5). The result might be found here
(6). As shown in the link, we've written {{16050}} bytes instead of {{16384}} and the
handshake was successful.
 h2. Possible solution
 Perhaps we should cut the list CAs transmitted by the server when asking for client auth
when it exceeds certain number of bytes. It would be helpful to write a warn message too.
 Links:
 - (1) Keycloak OCP Template
https://gist.github.com/slaskawi/57ed810a7109a02a9d884b61ce2e7f13
 - (2) Transformed configuration
https://gist.github.com/slaskawi/92aead6c519b867621129b640b4a3c88
 - (3) curl command https://gist.github.com/slaskawi/3bc32b8e96c2499cb7b48c3c5cb28616
 - (4)
https://gist.github.com/slaskawi/b6477fe3cd65890c879cfe6f95359450#file-lo...
 - (5) Keycloak and OpenShift integration demo
https://github.com/keycloak/openshift-integration/blob/master/install-key...
 - (6)
https://gist.github.com/slaskawi/7fd87e1f2e6c4faf657d9e8289ed3392#file-lo...


--
This message was sent by Atlassian Jira
(v7.12.1#712002)

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006