Fluent-bit: Modern tls 1.3 support

Created on 8 Aug 2019  路  2Comments  路  Source: fluent/fluent-bit

Bug Report

Describe the bug
Nginx as proxy for TLS restricted to modern env via mozilla ssl generator TLS v1.3

To Reproduce
Try to send tls https output to nginx configure via tls v1.3

Expected behavior
Support modern TLS version

Screenshots
Debug output with tls.debug :

[2019/08/08 06:48:52] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_cli.c 0934: client hello, got 127 ciphersuites (excluding SCSVs)
[2019/08/08 06:48:52] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_cli.c 0943: adding EMPTY_RENEGOTIATION_INFO_SCSV
[2019/08/08 06:48:52] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_cli.c 0992: client hello, compress len.: 1
[2019/08/08 06:48:52] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_cli.c 0994: client hello, compress alg.: 0
[2019/08/08 06:48:52] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_cli.c 0069: client hello, adding server name extension: centrallogserver.tld
[2019/08/08 06:48:52] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_cli.c 0186: client hello, adding signature_algorithms extension
[2019/08/08 06:48:52] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_cli.c 0271: client hello, adding supported_elliptic_curves extension
[2019/08/08 06:48:52] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_cli.c 0336: client hello, adding supported_point_formats extension
[2019/08/08 06:48:52] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_cli.c 0518: client hello, adding encrypt_then_mac extension
[2019/08/08 06:48:52] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_cli.c 0552: client hello, adding extended_master_secret extension
[2019/08/08 06:48:52] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_cli.c 0585: client hello, adding session ticket extension
[2019/08/08 06:48:52] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_cli.c 1071: client hello, total extension length: 107
[2019/08/08 06:48:52] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 3184: => write handshake message
[2019/08/08 06:48:52] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 3343: => write record
[2019/08/08 06:48:52] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 3423: output record: msgtype = 22, version = [3:1], msglen = 408
[2019/08/08 06:48:52] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 3426: dumping 'output record sent to network' (413 bytes)
[2019/08/08 06:48:52] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 3426: 0000:  16 03 01 01 98 01 00 01 94 03 03 5d 4b c5 d4 ff  ...........]K...
[2019/08/08 06:48:52] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 3426: 0010:  dc b5 65 8e 30 99 c4 57 96 bd 6b 86 76 37 db dd  ..e.0..W..k.v7..
[2019/08/08 06:48:52] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 3426: 0020:  81 e2 0f c2 9c 50 0d f9 ee ac 1d 00 01 00 cc a8  .....P..........
[2019/08/08 06:48:52] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 3426: 0030:  cc a9 cc aa c0 2c c0 30 00 9f c0 ad c0 9f c0 24  .....,.0.......$
[2019/08/08 06:48:52] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 3426: 0040:  c0 28 00 6b c0 0a c0 14 00 39 c0 af c0 a3 c0 87  .(.k.....9......
[2019/08/08 06:48:52] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 3426: 0050:  c0 8b c0 7d c0 73 c0 77 00 c4 00 88 c0 2b c0 2f  ...}.s.w.....+./
[2019/08/08 06:48:52] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 3426: 0060:  00 9e c0 ac c0 9e c0 23 c0 27 00 67 c0 09 c0 13  .......#.'.g....
[2019/08/08 06:48:52] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 3426: 0070:  00 33 c0 ae c0 a2 c0 86 c0 8a c0 7c c0 72 c0 76  .3.........|.r.v
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 3426: 0080:  00 be 00 45 cc ac cc ad 00 ab c0 a7 c0 38 00 b3  ...E.........8..
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 3426: 0090:  c0 36 00 91 c0 91 c0 9b c0 97 c0 ab 00 aa c0 a6  .6..............
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 3426: 00a0:  c0 37 00 b2 c0 35 00 90 c0 90 c0 96 c0 9a c0 aa  .7...5..........
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 3426: 00b0:  00 9d c0 9d 00 3d 00 35 c0 32 c0 2a c0 0f c0 2e  .....=.5.2.*....
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 3426: 00c0:  c0 26 c0 05 c0 a1 c0 7b 00 c0 00 84 c0 8d c0 79  .&.....{.......y
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 3426: 00d0:  c0 89 c0 75 00 9c c0 9c 00 3c 00 2f c0 31 c0 29  ...u.....<./.1.)
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 3426: 00e0:  c0 0e c0 2d c0 25 c0 04 c0 a0 c0 7a 00 ba 00 41  ...-.%.....z...A
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 3426: 00f0:  c0 8c c0 78 c0 88 c0 74 cc ae 00 ad 00 b7 00 95  ...x...t........
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 3426: 0100:  c0 93 c0 99 00 ac 00 b6 00 94 c0 92 c0 98 cc ab  ................
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 3426: 0110:  00 a9 c0 a5 00 af 00 8d c0 8f c0 95 c0 a9 00 a8  ................
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 3426: 0120:  c0 a4 00 ae 00 8c c0 8e c0 94 c0 a8 00 ff 01 00  ................
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 3426: 0130:  00 6b 00 00 00 1f 00 1d 00 00 1a 6c 6f 67 73 2d  .k.........logs-
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 3426: 0140:  69 6e 74 65 72 6e 61 6c 2e 61 61 73 61 61 6d 2e  internal.aasaam.
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 3426: 0150:  63 6c 6f 75 64 00 0d 00 16 00 14 06 03 06 01 05  cloud...........
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 3426: 0160:  03 05 01 04 03 04 01 03 03 03 01 02 03 02 01 00  ................
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 3426: 0170:  0a 00 18 00 16 00 19 00 1c 00 18 00 1b 00 17 00  ................
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 3426: 0180:  16 00 1a 00 15 00 14 00 13 00 12 00 0b 00 02 01  ................
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 3426: 0190:  00 00 16 00 00 00 17 00 00 00 23 00 00           ..........#..
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 2755: => flush output
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 2774: message length: 413, out_left: 413
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 2779: ssl->f_send() returned 413 (-0xfffffe63)
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 2807: <= flush output
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 3476: <= write record
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 3320: <= write handshake message
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_cli.c 1106: <= write client hello
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_cli.c 3510: client state: 2
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 2755: => flush output
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 2767: <= flush output
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_cli.c 1499: => parse server hello
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 4311: => read record
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 2536: => fetch input
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 2697: in_left: 0, nb_want: 5
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 2721: in_left: 0, nb_want: 5
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 8094: <= handshake
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 8084: => handshake
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_cli.c 3510: client state: 2
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 2755: => flush output
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 2767: <= flush output
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_cli.c 1499: => parse server hello
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 4311: => read record
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 2536: => fetch input
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 2697: in_left: 0, nb_want: 5
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 2721: in_left: 0, nb_want: 5
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 2722: ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 2742: <= fetch input
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 4047: dumping 'input record header' (5 bytes)
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 4047: 0000:  15 03 03 00 02                                   .....
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 4056: input record: msgtype = 21, version = [3:3], msglen = 2
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 2536: => fetch input
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 2697: in_left: 5, nb_want: 7
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 2721: in_left: 5, nb_want: 7
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 2722: ssl->f_recv(_timeout)() returned 2 (-0xfffffffe)
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 2742: <= fetch input
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 4233: dumping 'input record from network' (7 bytes)
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 4233: 0000:  15 03 03 00 02 02 46                             ......F
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 5170: got an alert message, type: [2:70]
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 5178: is a fatal alert message (msg 70)
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 4369: mbedtls_ssl_handle_message_type() returned -30592 (-0x7780)
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_cli.c 1506: mbedtls_ssl_read_record() returned -30592 (-0x7780)
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 8094: <= handshake
[2019/08/08 06:48:53] [error] [io_tls] flb_io_tls.c:348 SSL - A fatal alert message was received from our peer
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 8934: => free
[2019/08/08 06:48:53] [debug] [io_tls] /lib/mbedtls-2.16.1/library/ssl_tls.c 8999: <= free
[2019/08/08 06:48:53] [error] [out_http] no upstream connections available to centrallogserver.tld:8081
fixed question
Source
picture mhf-ir

Most helpful comment

TLS 1.3 to be supported by mbedtls shortly, as soon it become available we will upgrade to it:

https://tls.mbed.org/tech-updates/blog/a-new-defect-management-approach

picture edsiper on 8 Aug 2019
1 👍1

All 2 comments

After downgrade nginx tls config to legacy problem sovled

mhf-ir picture mhf-ir on 8 Aug 2019

TLS 1.3 to be supported by mbedtls shortly, as soon it become available we will upgrade to it:

https://tls.mbed.org/tech-updates/blog/a-new-defect-management-approach

edsiper picture edsiper on 8 Aug 2019
1 👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

JavaCS3 picture JavaCS3  路  3Comments
iamshreeram picture iamshreeram  路  3Comments
huanggze picture huanggze  路  3Comments
benclive picture benclive  路  3Comments
c0ze picture c0ze  路  3Comments