Compose: docker-compose does not have a way to override tls version at the commandline

Created on 21 Mar 2017 · 2Comments · Source: docker/compose

Using compose, if I set

COMPOSE_TLS_VERSION
DOCKER_TLS_VERIFY
DOCKER_CERT_PATH

docker-compose works fine and gives me no errors. If I decide to use command line argument instead of these environment variables, I have no way to set which version of TLS I want to use. For servers that do not support TLS version 1, I get the following errors:

ERROR: SSL error: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:590)

Setting the COMPOSE_TLS_VERSION environment variable and using compose with TLS arguments doesn't seem to work. Compose seems to ignore it if TLS cmdline options are used.

docker-compose binary version 1.9.0 and 1.11.2

arecli kinbug

Source

sflxn

👍2

Most helpful comment

This bug is still present. Below are repro steps. This is not exact output; some sensitive information has been scrubbed.

$ docker-compose --verbose version
docker-compose version 1.18.0, build 8dd22a9
docker-py version: 2.6.1
CPython version: 2.7.12
OpenSSL version: OpenSSL 1.0.2j  26 Sep 2016

# With environment variables, but not setting the version, we expect a failure
$ env \
> DOCKER_HOST=tcp://somehost \
> DOCKER_CERT_PATH=$HOME/certs \
> DOCKER_TLS_VERIFY=1 \
> docker-compose up
ERROR: SSL error: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:590)

# Now, setting the COMPOSE_TLS_VERSION variable, we expect success
$ env \
> COMPOSE_TLS_VERSION=TLSv1_2 \
> DOCKER_HOST=tcp://somehost \
> DOCKER_CERT_PATH=$HOME/certs \
> DOCKER_TLS_VERIFY=1 \
> docker-compose up
# compose service comes up successfully, output elided

# With CLI flags, not setting the COMPOSE_TLS_VERSION variable, we expect another failure
$ docker-compose \
> -H tcp://somehost \
> --tlsverify \
> --tlscacert $HOME/certs/ca.pem \
> --tlscert $HOME/certs/cert.pem \
> --tlskey $HOME/certs/key.pem \
> up
ERROR: SSL error: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:590)

# But here, setting the COMPOSE_TLS_VERSION variable, we should expect a success.
# Instead, it fails.
$ env COMPOSE_TLS_VERSION=TLSv1_2 docker-compose \
> -H tcp://somehost \
> --tlsverify \
> --tlscacert $HOME/certs/ca.pem \
> --tlscert $HOME/certs/cert.pem \
> --tlskey $HOME/certs/key.pem \
> up
ERROR: SSL error: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:590)

dperny on 19 Jan 2018

👍4

All 2 comments

Indeed - that's a bug on our end. Thank you for reporting it!

shin- on 22 Mar 2017

This bug is still present. Below are repro steps. This is not exact output; some sensitive information has been scrubbed.

$ docker-compose --verbose version
docker-compose version 1.18.0, build 8dd22a9
docker-py version: 2.6.1
CPython version: 2.7.12
OpenSSL version: OpenSSL 1.0.2j  26 Sep 2016

# With environment variables, but not setting the version, we expect a failure
$ env \
> DOCKER_HOST=tcp://somehost \
> DOCKER_CERT_PATH=$HOME/certs \
> DOCKER_TLS_VERIFY=1 \
> docker-compose up
ERROR: SSL error: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:590)

# Now, setting the COMPOSE_TLS_VERSION variable, we expect success
$ env \
> COMPOSE_TLS_VERSION=TLSv1_2 \
> DOCKER_HOST=tcp://somehost \
> DOCKER_CERT_PATH=$HOME/certs \
> DOCKER_TLS_VERIFY=1 \
> docker-compose up
# compose service comes up successfully, output elided

# With CLI flags, not setting the COMPOSE_TLS_VERSION variable, we expect another failure
$ docker-compose \
> -H tcp://somehost \
> --tlsverify \
> --tlscacert $HOME/certs/ca.pem \
> --tlscert $HOME/certs/cert.pem \
> --tlskey $HOME/certs/key.pem \
> up
ERROR: SSL error: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:590)

# But here, setting the COMPOSE_TLS_VERSION variable, we should expect a success.
# Instead, it fails.
$ env COMPOSE_TLS_VERSION=TLSv1_2 docker-compose \
> -H tcp://somehost \
> --tlsverify \
> --tlscacert $HOME/certs/ca.pem \
> --tlscert $HOME/certs/cert.pem \
> --tlskey $HOME/certs/key.pem \
> up
ERROR: SSL error: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:590)

dperny on 19 Jan 2018

👍4

Was this page helpful?

0 / 5 - 0 ratings