Bug #29509
open
FDI not working with TLS 1.3 enabled
Description
The foreman discovery image is unable to create host in foreman if TLS 1.3 is enabled on the foreman apache webserver. Wer are running the lastest fdi image version 3.5.7
The apache error message:
[Thu Apr 09 12:28:18.177779 2020] [ssl:error] [pid 28502:tid 140190165145344] [client 10.10.10.10:42930] AH: verify client post handshake
After explicitly disabling1 TLS 1.3 in de mod ssl confiuration everything works as expected.
This might be due to outdated ruby openssl library and has been fixed in a future release: https://github.com/ruby/openssl/pull/239/commits/7348165c5024771af1758fdb1bfc222e9277f4bb
[root@fdi ~]# ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION' OpenSSL 1.0.2k 26 Jan 2017
Just let me know if you need any further information.
[1] mod ssl tls 1.3 disabled
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.3
Files
Updated by Lars Wagner over 4 years ago
L W wrote:
The foreman discovery image is unable to create host in foreman if TLS 1.3 is enabled on the foreman apache webserver. Wer are running the lastest fdi image version
3.5.7The apache error message:
[...]After explicitly disabling1 TLS 1.3 in de mod ssl confiuration everything works as expected.
This might be due to outdated ruby openssl library and has been fixed in a future release: https://github.com/ruby/openssl/pull/239/commits/7348165c5024771af1758fdb1bfc222e9277f4bb
[...]Just let me know if you need any further information.
[1] mod ssl tls 1.3 disabled
[...]
Is nobody else running into this issue?
Updated by Lukas Zapletal over 4 years ago
- Status changed from New to Need more information
Hello, FDI uses CentOS7 ruby. Can you test with the latest CentOS7 with its Ruby 2.0? If new update does not fix this you need to ask CentOS or Red Hat to backport this into Ruby 2.0 or OpenSSL.
Updated by Lars Wagner over 4 years ago
Lukas Zapletal wrote:
Hello, FDI uses CentOS7 ruby. Can you test with the latest CentOS7 with its Ruby 2.0? If new update does not fix this you need to ask CentOS or Red Hat to backport this into Ruby 2.0 or OpenSSL.
Hi, thank you for your reply. We are already using the lastest version of the fdi 3.5.7 (https://downloads.theforeman.org/discovery/releases/latest/) or should I build it by myself as mentioned here: https://github.com/theforeman/foreman-discovery-image#building ?
Thank you in advance.
Updated by Dominic Schlegel almost 4 years ago
Just verified it with latest FDI version 3.7.3 - still not working. apache error shows:
[Tue Feb 09 13:53:47.530618 2021] [ssl:error] [pid 27256:tid 140680739399424] [client 10.10.10.10:58182] AH: verify client post handshake [Tue Feb 09 13:53:47.530650 2021] [ssl:error] [pid 27256:tid 140680739399424] [client 10.10.10.10:58182] AH10158: cannot perform post-handshake authentication [Tue Feb 09 13:53:47.530671 2021] [ssl:error] [pid 27256:tid 140680739399424] SSL Library Error: error:14268117:SSL routines:SSL_verify_client_post_handshake:extension not received
Updated by Ewoud Kohl van Wijngaarden about 2 years ago
- Target version deleted (
Discovery Plugin 16.0)