Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unexpected ssl.sigalgs error in version 1.17 #14708

Closed
sefaphlvn opened this issue Jan 14, 2021 · 4 comments
Closed

Unexpected ssl.sigalgs error in version 1.17 #14708

sefaphlvn opened this issue Jan 14, 2021 · 4 comments
Labels
area/tls question Questions that are neither investigations, bugs, nor enhancements

Comments

@sefaphlvn
Copy link

Title: I got unexpected ssl.sigalgs error in version 1.17

Description:
When I upgrade envoy from 1.16.2 to 1.17.0 I got this message.
Didn't have in version 1.16.2

I think this is related to UpstreamTlsContext because when I switch to non-ssl upstream and delete transport socket conf everything is fine

CDS

---
"@type": type.googleapis.com/envoy.config.cluster.v3.Cluster
circuit_breakers:
  thresholds:
  - max_connections: 10000
    max_pending_requests: 200000
    max_requests: 200000
    max_retries: 3
    priority: DEFAULT
common_lb_config:
  healthy_panic_threshold:
    value: 0
connect_timeout: 15s
eds_cluster_config:
  eds_config:
    path: "/usr/envoy_domains/kesfet-eds_eds.conf"
    resource_api_version: V3
  service_name: kesfet-eds
health_checks:
- healthy_threshold: 2
  interval: 3s
  no_traffic_interval: 4s
  tcp_health_check: {}
  timeout: 2s
  unhealthy_threshold: 2
lb_policy: LEAST_REQUEST
max_requests_per_connection: 32768
name: kesfet-cds
transport_socket:
  name: envoy.transport_sockets.tls
  typed_config:
    "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
type: EDS
upstream_connection_options:
  tcp_keepalive:
    keepalive_interval: 75
    keepalive_probes: 3
    keepalive_time: 900

Error Log

Jan 14 22:03:40 ENVOY-TEST-01 www_example_com[29943]: [2021-01-14 22:03:40.379][29951][error][envoy_bug] [external/envoy/source/extensions/transport_sockets/tls/context_impl.cc:643] envoy bug failure: value_stat_name != fallback. Details: Unexpected ssl.sigalgs value: rsa_pkcs1_sha256
Jan 14 22:03:48 ENVOY-TEST-01 www_example_com[29943]: [2021-01-14 22:03:48.394][29951][error][envoy_bug] [external/envoy/source/extensions/transport_sockets/tls/context_impl.cc:643] envoy bug failure: value_stat_name != fallback. Details: Unexpected ssl.sigalgs value: rsa_pkcs1_sha256
Jan 14 22:03:56 ENVOY-TEST-01 www_example_com[29943]: [2021-01-14 22:03:56.434][29951][info][main] [external/envoy/source/server/drain_manager_impl.cc:70] shutting down parent after drain
Jan 14 22:04:04 ENVOY-TEST-01 www_example_com[29943]: [2021-01-14 22:04:04.419][29951][error][envoy_bug] [external/envoy/source/extensions/transport_sockets/tls/context_impl.cc:643] envoy bug failure: value_stat_name != fallback. Details: Unexpected ssl.sigalgs value: rsa_pkcs1_sha256
Jan 14 22:04:36 ENVOY-TEST-01 www_example_com[29943]: [2021-01-14 22:04:36.468][29951][error][envoy_bug] [external/envoy/source/extensions/transport_sockets/tls/context_impl.cc:643] envoy bug failure: value_stat_name != fallback. Details: Unexpected ssl.sigalgs value: rsa_pkcs1_sha256
Jan 14 22:05:40 ENVOY-TEST-01 www_example_com[29943]: [2021-01-14 22:05:40.574][29951][error][envoy_bug] [external/envoy/source/extensions/transport_sockets/tls/context_impl.cc:643] envoy bug failure: value_stat_name != fallback. Details: Unexpected ssl.sigalgs value: rsa_pkcs1_sha256
Jan 14 22:07:48 ENVOY-TEST-01 www_example_com[29943]: [2021-01-14 22:07:48.788][29951][error][envoy_bug] [external/envoy/source/extensions/transport_sockets/tls/context_impl.cc:643] envoy bug failure: value_stat_name != fallback. Details: Unexpected ssl.sigalgs value: rsa_pkcs1_sha256
Jan 14 22:12:05 ENVOY-TEST-01 www_example_com[29943]: [2021-01-14 22:12:05.197][29951][error][envoy_bug] [external/envoy/source/extensions/transport_sockets/tls/context_impl.cc:643] envoy bug failure: value_stat_name != fallback. Details: Unexpected ssl.sigalgs value: rsa_pkcs1_sha256
@sefaphlvn sefaphlvn added the triage Issue requires triage label Jan 14, 2021
@htuch
Copy link
Member

htuch commented Jan 14, 2021

See https://www.envoyproxy.io/docs/envoy/latest/version_history/v1.17.0:

tls: removed RSA key transport and SHA-1 cipher suites from the client-side defaults.

CC @PiotrSikora

@htuch htuch added area/tls question Questions that are neither investigations, bugs, nor enhancements and removed triage Issue requires triage labels Jan 14, 2021
@sefaphlvn
Copy link
Author

Thank you

@PiotrSikora
Copy link
Contributor

See https://www.envoyproxy.io/docs/envoy/latest/version_history/v1.17.0:

tls: removed RSA key transport and SHA-1 cipher suites from the client-side defaults.

CC @PiotrSikora

@htuch that's not it at all. It's a bug in #14534, fixed in #14703, and hopefully released soon in 1.171.

@Gsantomaggio
Copy link

Gsantomaggio commented Feb 15, 2021
edited
Loading

I can confirm that this bug hasn't solved yet.

envoy --version
envoy  version: 5c801b25cae04f06bf48248c90e87d623d7a6283/1.17.0/Modified/DEBUG/BoringSSL

conf:

- name: envoy.filters.network.tcp_proxy
              typed_config:
                "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
                stat_prefix: ingress
                cluster: amqps
          transport_socket:
            name: envoy.transport_sockets.tls
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
              common_tls_context:
                tls_certificates:
                  - certificate_chain: { filename: "tls-gen/basic/result/server_certificate.pem" }
                    private_key: { filename: "tls-gen/basic/result/server_key.pem" }
....  


transport_socket:
        name: envoy.transport_sockets.tls
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
          common_tls_context:
            tls_params:
              tls_minimum_protocol_version: "TLSv1_2"

the

2021-02-13 11:37:11.934][5488815][debug][connection] [source/common/network/connection_impl.cc:666] [C1] connected
[2021-02-13 11:37:11.940][5488815][error][envoy_bug] [source/extensions/transport_sockets/tls/context_impl.cc:643] envoy bug failure: value_stat_name != fallback. Details: Unexpected ssl.sigalgs value: rsa_pkcs1_sha256
[2021-02-13 11:37:11.940][5488815][critical][backtrace] [bazel-out/darwin-fastbuild/bin/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:104] Caught Abort trap: 6, suspect faulting address 0x7fff6a28033a
[2021-02-13 11:37:11.940][5488815][critical][backtrace] [bazel-out/darwin-fastbuild/bin/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:91] Backtrace (use tools/stack_decode.py to get line numbers):
[2021-02-13 11:37:11.940][5488815][critical][backtrace] [bazel-out/darwin-fastbuild/bin/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:92] Envoy version: 5c801b25cae04f06bf48248c90e87d623d7a6283/1.17.0/Modified/DEBUG/BoringSSL

Thank you for working on it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/tls question Questions that are neither investigations, bugs, nor enhancements
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@PiotrSikora @Gsantomaggio @htuch @sefaphlvn