Change in TLS cipher suites in kubernetes 1.26?

marc.boorshtein · December 27, 2022, 9:35pm

Asking for help? Comment out what you need so we can get more information to help you!

Cluster information:

Kubernetes version: v.1.26.0
Cloud being used: bare metal
Installation method: kubeadm
Host OS: ubuntu 20.04
CNI and version: flannel
CRI and version:

I’m connecting to the API server using Java (Apache HTTP client libraries 4). When I try to connect, the connection hangs on the TLS handshake. It looks like the API server is rejecting the ciphers. Here’s what my client is sending the API server:

TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV

The same code works great with 1.25 and below. I’m not seeing any docs on changes to the TLS stack in 1.26. Any idea how I can debug?

Thanks
Marc

mrbobbytables · December 28, 2022, 12:46am

Hm, I’m not sure why it would be different - but I double checked and the supported cipher list is the same for 1.25 and 1.26. Cert expiration maybe? Could also use openssl to probe the apiserver and see what ciphers it lists as supported…maybe a weird config somewhere?

marc.boorshtein · December 28, 2022, 3:46am

so after lots of more digging, there seems to be an issue connecting over the br0 interface to port 6443 from inside of other VMs. What’s REALLY odd is 443 (running container port) works fine. Also this issue doesn’t exist for requests originating from another KVM server with the same config. Something screwy with the bridge device?

carvido1 · January 30, 2023, 10:44am

Hi there @marc.boorshtein

If you are still facing the issue, could you obtain more information with the apache http client in debug mode*(from the same KVM and from another one that works)?

It is possible that the certificates include the IP address of the service. Maybe a misconfiguration in networking cloud lead to the problem you are experiencing.

BR