Project

General

Profile

Bug #29509

FDI not working with TLS 1.3 enabled

Added by Lars Wagner over 1 year ago. Updated 10 months ago.

Status:
Need more information
Priority:
Normal
Assignee:
-
Category:
Image
Target version:
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:

Description

The foreman discovery image is unable to create host in foreman if TLS 1.3 is enabled on the foreman apache webserver. Wer are running the lastest fdi image version 3.5.7

The apache error message:

[Thu Apr 09 12:28:18.177779 2020] [ssl:error] [pid 28502:tid 140190165145344] [client 10.10.10.10:42930] AH: verify client post handshake

After explicitly disabling1 TLS 1.3 in de mod ssl confiuration everything works as expected.

This might be due to outdated ruby openssl library and has been fixed in a future release: https://github.com/ruby/openssl/pull/239/commits/7348165c5024771af1758fdb1bfc222e9277f4bb

[root@fdi ~]# ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION'
OpenSSL 1.0.2k  26 Jan 2017

Just let me know if you need any further information.

[1] mod ssl tls 1.3 disabled

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.3

fdi_failure.png View fdi_failure.png 101 KB Lars Wagner, 04/09/2020 10:32 AM
Fdi failure

History

#1 Updated by Lars Wagner over 1 year ago

L W wrote:

The foreman discovery image is unable to create host in foreman if TLS 1.3 is enabled on the foreman apache webserver. Wer are running the lastest fdi image version 3.5.7

The apache error message:
[...]

After explicitly disabling1 TLS 1.3 in de mod ssl confiuration everything works as expected.

This might be due to outdated ruby openssl library and has been fixed in a future release: https://github.com/ruby/openssl/pull/239/commits/7348165c5024771af1758fdb1bfc222e9277f4bb
[...]

Just let me know if you need any further information.

[1] mod ssl tls 1.3 disabled
[...]

Is nobody else running into this issue?

#2 Updated by Lukas Zapletal over 1 year ago

  • Status changed from New to Need more information

Hello, FDI uses CentOS7 ruby. Can you test with the latest CentOS7 with its Ruby 2.0? If new update does not fix this you need to ask CentOS or Red Hat to backport this into Ruby 2.0 or OpenSSL.

#3 Updated by Lars Wagner over 1 year ago

Lukas Zapletal wrote:

Hello, FDI uses CentOS7 ruby. Can you test with the latest CentOS7 with its Ruby 2.0? If new update does not fix this you need to ask CentOS or Red Hat to backport this into Ruby 2.0 or OpenSSL.

Hi, thank you for your reply. We are already using the lastest version of the fdi 3.5.7 (https://downloads.theforeman.org/discovery/releases/latest/) or should I build it by myself as mentioned here: https://github.com/theforeman/foreman-discovery-image#building ?

Thank you in advance.

#4 Updated by Dominic Schlegel 10 months ago

Just verified it with latest FDI version 3.7.3 - still not working. apache error shows:

[Tue Feb 09 13:53:47.530618 2021] [ssl:error] [pid 27256:tid 140680739399424] [client 10.10.10.10:58182] AH: verify client post handshake
[Tue Feb 09 13:53:47.530650 2021] [ssl:error] [pid 27256:tid 140680739399424] [client 10.10.10.10:58182] AH10158: cannot perform post-handshake authentication
[Tue Feb 09 13:53:47.530671 2021] [ssl:error] [pid 27256:tid 140680739399424] SSL Library Error: error:14268117:SSL routines:SSL_verify_client_post_handshake:extension not received

Also available in: Atom PDF