Project

General

Profile

Bug #29509

FDI not working with TLS 1.3 enabled

Added by Lars Wagner 3 months ago. Updated about 2 months ago.

Status:
Need more information
Priority:
Normal
Assignee:
-
Category:
Image
Target version:
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:

Description

The foreman discovery image is unable to create host in foreman if TLS 1.3 is enabled on the foreman apache webserver. Wer are running the lastest fdi image version 3.5.7

The apache error message:

[Thu Apr 09 12:28:18.177779 2020] [ssl:error] [pid 28502:tid 140190165145344] [client 10.10.10.10:42930] AH: verify client post handshake

After explicitly disabling1 TLS 1.3 in de mod ssl confiuration everything works as expected.

This might be due to outdated ruby openssl library and has been fixed in a future release: https://github.com/ruby/openssl/pull/239/commits/7348165c5024771af1758fdb1bfc222e9277f4bb

[root@fdi ~]# ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION'
OpenSSL 1.0.2k  26 Jan 2017

Just let me know if you need any further information.

[1] mod ssl tls 1.3 disabled

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.3

fdi_failure.png View fdi_failure.png 101 KB Lars Wagner, 04/09/2020 10:32 AM
Fdi failure

History

#1 Updated by Lars Wagner 2 months ago

L W wrote:

The foreman discovery image is unable to create host in foreman if TLS 1.3 is enabled on the foreman apache webserver. Wer are running the lastest fdi image version 3.5.7

The apache error message:
[...]

After explicitly disabling1 TLS 1.3 in de mod ssl confiuration everything works as expected.

This might be due to outdated ruby openssl library and has been fixed in a future release: https://github.com/ruby/openssl/pull/239/commits/7348165c5024771af1758fdb1bfc222e9277f4bb
[...]

Just let me know if you need any further information.

[1] mod ssl tls 1.3 disabled
[...]

Is nobody else running into this issue?

#2 Updated by Lukas Zapletal 2 months ago

  • Status changed from New to Need more information

Hello, FDI uses CentOS7 ruby. Can you test with the latest CentOS7 with its Ruby 2.0? If new update does not fix this you need to ask CentOS or Red Hat to backport this into Ruby 2.0 or OpenSSL.

#3 Updated by Lars Wagner 2 months ago

Lukas Zapletal wrote:

Hello, FDI uses CentOS7 ruby. Can you test with the latest CentOS7 with its Ruby 2.0? If new update does not fix this you need to ask CentOS or Red Hat to backport this into Ruby 2.0 or OpenSSL.

Hi, thank you for your reply. We are already using the lastest version of the fdi 3.5.7 (https://downloads.theforeman.org/discovery/releases/latest/) or should I build it by myself as mentioned here: https://github.com/theforeman/foreman-discovery-image#building ?

Thank you in advance.

Also available in: Atom PDF