We have RHEL8 FIPS enabled OS linux machines ( Red Hat Enterprise Linux release 8.8 (Ootpa), 4.18.0-477.13.1.el8_8.x86_64 #1 SMP Thu May 18 10:27:05 EDT 2023 x86_64 x86_64 x86_64 GNU/Linux ) and have a very simple java client running on that machine to connect to K8s client to list the pods.
import io.kubernetes.client.openapi.apis.CoreV1Api;
import io.kubernetes.client.openapi.models.V1PodList;
import io.kubernetes.client.util.Config;
import io.kubernetes.client.openapi.ApiClient;
import io.kubernetes.client.openapi.ApiException;
import io.kubernetes.client.openapi.models.V1Pod;
import java.io.IOException;
public class KubernetesClientExample {
public static void main(String[] args) throws IOException, ApiException {
try {
ApiClient client = Config.defaultClient();
CoreV1Api api = new CoreV1Api(client);
String namespace = "default";
V1PodList podList = api.listNamespacedPod(namespace, null, false, null, null, null, 0, null, null, 0, false);
System.out.println("Pods in namespace " + namespace + ":");
for (V1Pod pod : podList.getItems()) {
System.out.println(pod.getMetadata().getName());
}
} catch (ApiException | IOException e) {
System.out.println("Exception when calling Kubernetes API: " + e.getMessage());
e.printStackTrace();
}
}
}
Java is JDK8 and it is FIPS enabled too.
Java version :
openjdk version "1.8.0_382"
OpenJDK Runtime Environment (build 1.8.0_382-b05)
OpenJDK 64-Bit Server VM (build 25.382-b05, mixed mode)
When I run the client program, I kept on getting below SSL handshake error to K8s api server.
Exception when calling Kubernetes API: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failureio.kubernetes.client.openapi.ApiException: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at io.kubernetes.client.openapi.ApiClient.execute(ApiClient.java:888)
at io.kubernetes.client.openapi.apis.CoreV1Api.listNamespacedPodWithHttpInfo(CoreV1Api.java:32310)
at io.kubernetes.client.openapi.apis.CoreV1Api.listNamespacedPod(CoreV1Api.java:32199)
at KubernetesClientExample.main(KubernetesClientExample.java:18)
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
After I dug up further, I found out that it is a TLS Cipher suite mismatched between my java client and K8s api server during handshake :
javax.net.ssl|FINE|01|main|2023-09-01 11:43:13.195 PDT|ClientHello.java:564|Produced ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "D6 7A E2 1A 96 21 F4 F7 04 01 18 B8 2E 69 ED DF 5A ED 04 37 D6 87 72 CF 4D 20 B8 D1 75 BD B0 9E",
"session id" : "72 EF CD 77 7B C1 16 0A F8 35 36 9D CC 6D 80 A5 11 27 7A 0A 4B EB B6 C2 8A BD 57 67 5B D7 E8 29",
"cipher suites" : "[TLS_AES_256_GCM_SHA384(0x1302), TLS_AES_128_GCM_SHA256(0x1301), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), SSL_RSA_WITH_3DES_EDE_CBC_SHA(0x000A)]",
"compression methods" : "00",
"extensions" : [
"server_name (0)": {
type=host_name (0), value=k8s-api.com
},
"supported_groups (10)": {
"versions": [ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
},
"ec_point_formats (11)": {
"formats": [uncompressed]
},
"signature_algorithms (13)": {
"signature schemes": [ed25519, ed448, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, rsa_sha224, dsa_sha224, rsa_pkcs1_sha1, dsa_sha1, rsa_md5]
},
"signature_algorithms_cert (50)": {
"signature schemes": [ed25519, ed448, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, rsa_sha224, dsa_sha224, rsa_pkcs1_sha1, dsa_sha1, rsa_md5]
},
"application_layer_protocol_negotiation (16)": {
[h2, http/1.1]
},
"extended_master_secret (23)": {
<empty>
},
"supported_versions (43)": {
"versions": [TLSv1.3, TLSv1.2]
},
"psk_key_exchange_modes (45)": {
"ke_modes": [psk_dhe_ke]
},
"key_share (51)": {
"client_shares": [
{
"named group": ffdhe2048
"key_exchange": {
0000: 4B 0C BC F5 D0 EC EF 64 93 FD 72 FB CD 50 07 CB K......d..r..P..
0010: 1E 18 7A 33 4E C1 D9 ED D9 17 39 52 41 CA 0B DC ..z3N.....9RA...
0020: 96 65 F1 4C 2C 46 B4 10 6E 58 CB F1 B2 57 2D 19 .e.L,F..nX...W-.
0030: F3 EB 74 13 8A 0C 3C 00 EE 19 56 7E 20 72 6E 53 ..t...<...V. rnS
0040: 33 F2 54 32 01 0D AD 5C 17 37 9B D5 C3 69 79 A4 3.T2...\.7...iy.
0050: 75 CE C7 16 AA 7F 76 74 AF 6E 9A 07 CF C2 41 8C u.....vt.n....A.
0060: FD 29 B0 F1 5D 8F 53 BE E3 2D 20 98 5F 2D E4 3C .)..].S..- ._-.<
0070: 54 40 3C FA A6 71 CB C4 B2 7F 6A 14 66 2E E5 F1 T@<..q....j.f...
0080: DA 21 20 1F 32 04 EB A2 E0 42 BD DD 88 19 52 61 .! .2....B....Ra
0090: 0C E5 DA 02 7E 18 F7 9E FD 59 91 9D 22 CA 37 88 .........Y..".7.
00A0: 9E 34 B9 B7 9F 57 BC F9 78 58 C3 D5 E2 BC 84 5B .4...W..xX.....[
00B0: 34 ED 05 1D 8B 5B 8A BC 8B 24 D3 0D 06 3D C9 0B 4....[...$...=..
00C0: 0B FE 77 A9 0B D7 9E 65 6A 50 2B 13 00 AE 01 F5 ..w....ejP+.....
00D0: 4C 80 B8 0B DC 73 46 32 C1 FD 62 45 E2 E7 C8 03 L....sF2..bE....
00E0: 29 B0 35 29 57 8B C3 02 7E D7 A3 E4 5A 80 5B AC ).5)W.......Z.[.
00F0: 28 E3 78 38 F9 75 86 C1 14 59 B1 22 2D 09 07 57 (.x8.u...Y."-..W
}
},
]
},
"renegotiation_info (65,281)": {
"renegotiated connection": [<no renegotiated connection>]
}
]
}
)
javax.net.ssl|FINE|01|main|2023-09-01 11:43:13.197 PDT|Alert.java:238|Received alert message (
"Alert": {
"level" : "fatal",
"description": "handshake_failure"
}
)
javax.net.ssl|SEVERE|01|main|2023-09-01 11:43:13.197 PDT|TransportContext.java:323|Fatal (HANDSHAKE_FAILURE): Received fatal alert: handshake_failure (
"throwable" : {
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alert.createSSLException(Alert.java:131)
at sun.security.ssl.Alert.createSSLException(Alert.java:117)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:318)
We are using default cipher suites that is provided by K8s.
I am wondering if k8s api server will support cipher suites that is complied java8 FIPS complied cipher suites?
From the debug log, it look likes client is sending these cipher suites to K8s server :
"[TLS_AES_256_GCM_SHA384(0x1302), TLS_AES_128_GCM_SHA256(0x1301), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), SSL_RSA_WITH_3DES_EDE_CBC_SHA(0x000A)]"
Following are the cipher suites that supported with Java8 FIPS
Supported Protocols: 6
TLSv1.3
TLSv1.2
TLSv1.1
TLSv1
SSLv3
SSLv2Hello
Enabled Protocols: 5
TLSv1.3
TLSv1.2
TLSv1.1
TLSv1
SSLv3
Supported Cipher Suites:
1. TLS_AES_128_GCM_SHA256
2. TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
3. TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
4. TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
5. TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
6. TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
7. TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
8. TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
9. TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
10. TLS_DHE_RSA_WITH_AES_256_CBC_SHA
11. TLS_DHE_DSS_WITH_AES_256_CBC_SHA
12. TLS_DHE_RSA_WITH_AES_128_CBC_SHA
13. TLS_DHE_DSS_WITH_AES_128_CBC_SHA
14. TLS_RSA_WITH_AES_256_GCM_SHA384
15. TLS_RSA_WITH_AES_128_GCM_SHA256
16. TLS_RSA_WITH_AES_256_CBC_SHA256
17. TLS_RSA_WITH_AES_128_CBC_SHA256
18. TLS_RSA_WITH_AES_256_CBC_SHA
19. TLS_RSA_WITH_AES_128_CBC_SHA
20. SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
21. SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
22. SSL_RSA_WITH_3DES_EDE_CBC_SHA
23. TLS_EMPTY_RENEGOTIATION_INFO_SCSV
24. TLS_DH_anon_WITH_AES_256_GCM_SHA384
25. TLS_DH_anon_WITH_AES_128_GCM_SHA256
26. TLS_DH_anon_WITH_AES_256_CBC_SHA256
27. TLS_DH_anon_WITH_AES_256_CBC_SHA
28. TLS_DH_anon_WITH_AES_128_CBC_SHA256
29. TLS_DH_anon_WITH_AES_128_CBC_SHA
30. SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
31. SSL_RSA_WITH_RC4_128_SHA
32. SSL_RSA_WITH_RC4_128_MD5
33. SSL_DH_anon_WITH_RC4_128_MD5
34. SSL_RSA_WITH_DES_CBC_SHA
35. SSL_DHE_RSA_WITH_DES_CBC_SHA
36. SSL_DHE_DSS_WITH_DES_CBC_SHA
37. SSL_DH_anon_WITH_DES_CBC_SHA
38. SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
39. SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
40. SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
41. SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
42. SSL_RSA_EXPORT_WITH_RC4_40_MD5
43. SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
44. TLS_RSA_WITH_NULL_SHA256
45. SSL_RSA_WITH_NULL_SHA
46. SSL_RSA_WITH_NULL_MD5
47. TLS_KRB5_WITH_3DES_EDE_CBC_SHA
48. TLS_KRB5_WITH_3DES_EDE_CBC_MD5
49. TLS_KRB5_WITH_RC4_128_SHA
50. TLS_KRB5_WITH_RC4_128_MD5
51. TLS_KRB5_WITH_DES_CBC_SHA
52. TLS_KRB5_WITH_DES_CBC_MD5
53. TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
54. TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
55. TLS_KRB5_EXPORT_WITH_RC4_40_SHA
56. TLS_KRB5_EXPORT_WITH_RC4_40_MD5
And K8s version we are using is v1.23.7. Understand it is older version as we are on the way to upgrade newer ones.
Much appreciate about any input. Thanks