我有一个 kubernetes ingress 服务,将流量转发到 IBM HTTP Server 上的 SSL 端口,但连接失败,
SSL0280E: SSL Handshake Failed, the configured certificate chain contains a signature that is not compatible with peers TLS Signature Algorithm requirements.
如果我通过代理转发 HTTP 服务器的端口来绕过入口,一切都会正常,所以我猜这与入口配置有关。
但是从错误信息中我无法理解问题可能是什么。
完整的握手日志是
[ibm_ssl:debug] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] [7f1ff0000910] [202] SSL handshake initiated [10.0.77.139:44716 -> 10.0.34.215:8000] fd 17 userdata 7f2007ffed00
[ibm_ssl:debug] [pid 202:tid 139775549896448] mod_ibm_ssl.c(1184): About to handshake: SSLV2 not enabled, SSLV3 not enabled, TLSv10 not enabled, TLSv11 not enabled, TLSv12 ciphers='TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA', FIPS is disabled
[ibm_ssl:trace3] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] [7f1ff0000910] [202] SSL read begin bytes [5] timeout [5000000]
[ibm_ssl:trace3] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] [7f1ff0000910] [202] SSL read end bytes [5] err [0] to [0] eof [0]
[ibm_ssl:trace3] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] [7f1ff0000910] [202] SSL read begin bytes [183] timeout [5000000]
[ibm_ssl:trace3] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] [7f1ff0000910] [202] SSL read end bytes [183] err [0] to [0] eof [0]
[ibm_ssl:trace3] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] [7f1ff0000910] [202] SSL write begin bytes [7] timeout [5000000]
[ibm_ssl:trace3] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] [7f1ff0000910] [202] SSL write end bytes [7] err [0] to [0]
[ibm_ssl:error] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] [7f1ff0000910] [202] SSL0280E: SSL Handshake Failed, the configured certificate chain contains a signature that is not compatible with peers TLS Signature Algorithm requirements.[10.0.77.139:44716 -> 10.0.34.215:8000] [0 ms]
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] [7f1ff0000910] Handshake transcript:
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] <client_hello>
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] client_version
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] gsksslDissector_8Bits
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] 03
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] gsksslDissector_8Bits
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] 03
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] TLSV12
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] random
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] gsksslDissector_32Bits
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] 69aaf182
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] gsksslDissector_Opaque
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] Length: 28
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] 01 C4 38 FA 9D 07 48 B8 78 7F 5E 99 4F D3 F9 22 ..8...H.x.^.O.."
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] D1 FA F7 8F 0A 44 4D 05 AF 68 07 67 .....DM..h.g
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] session_id
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] Length: 00
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] cipher_suites
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] Length: 56
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] C0 2C C0 30 00 9F CC A9 CC A8 CC AA C0 2B C0 2F .,.0.........+./
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] 00 9E C0 24 C0 28 00 6B C0 23 C0 27 00 67 C0 0A ...$.(.k.#.'.g..
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] C0 14 00 39 C0 09 C0 13 00 33 00 9D 00 9C 00 3D ...9.....3.....=
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] 00 3C 00 35 00 2F 00 FF .<.5./..
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] tls_ecdhe_ecdsa_with_aes_256_gcm_sha384,tls_ecdhe_rsa_with_aes_256_gcm_sha384,tls_dhe_rsa_with_aes_256_gcm_sha384,tls_ecdhe_ecdsa_with_chacha20_poly1305_sha256,tls_ecdhe_rsa_with_chacha20_poly1305_sha256,tls_dhe_rsa_with_chacha20_poly1305_sha256,tls_ecdhe_ecdsa_with_aes_128_gcm_sha256,tls_ecdhe_rsa_with_aes_128_gcm_sha256,tls_dhe_rsa_with_aes_128_gcm_sha256,tls_ecdhe_ecdsa_with_aes_256_cbc_sha384,tls_ecdhe_rsa_with_aes_256_cbc_sha384,unknown,tls_ecdhe_ecdsa_with_aes_128_cbc_sha256,tls_ecdhe_rsa_with_aes_128_cbc_sha256,tls_dhe_rsa_with_aes_128_cbc_sha256,tls_ecdhe_ecdsa_with_aes_256_cbc_sha,tls_ecdhe_rsa_with_aes_256_cbc_sha,unknown,tls_ecdhe_ecdsa_with_aes_128_cbc_sha,tls_ecdhe_rsa_with_aes_128_cbc_sha,unknown,tls_rsa_with_aes_256_gcm_sha384,tls_rsa_with_aes_128_gcm_sha256,tls_rsa_with_aes_256_cbc_sha256,tls_rsa_with_aes_128_cbc_sha256,tls_rsa_with_aes_256_cbc_sha,tls_rsa_with_aes_128_cbc_sha,tls_ri_scsv
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] compression_methods
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] Length: 01
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] 00 .
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] Extensions
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] Length: 82
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] 00 0B 00 04 03 00 01 02 00 0A 00 0C 00 0A 00 1D ................
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] 00 17 00 1E 00 19 00 18 00 23 00 00 00 16 00 00 .........#......
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] 00 17 00 00 00 0D 00 2A 00 28 04 03 05 03 06 03 .......*.(......
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] 08 07 08 08 08 09 08 0A 08 0B 08 04 08 05 08 06 ................
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] 04 01 05 01 06 01 03 03 03 01 03 02 04 02 05 02 ................
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] 06 02 ..
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] Extension Count: 6
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] ec_point_formats
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] uncompressed,ansiX962_compressed_prime,ansiX962_compressed_char2
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] elliptic_curves
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] unknown,secp256r1,unknown,secp521r1,secp384r1
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] session_ticket
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] encrypt_then_mac
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] extended_master_secret
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] signature_algorithms
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] ecdsa:sha256,ecdsa:sha384,ecdsa:sha512,unknown:unknown,unknown:unknown,unknown:unknown,unknown:unknown,unknown:unknown,unknown:unknown,unknown:unknown,unknown:unknown,rsa:sha256,rsa:sha384,rsa:sha512,ecdsa:sha224,rsa:sha224,dsa:sha224,dsa:sha256,dsa:sha384,dsa:sha512
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] end handshake transcript
入口使用正确的签名证书,使用具有多个主题备用名称的通配符证书,并且已添加到 IBM HTTP Server 信任库。
HTTP 服务器使用自签名的证书,并以 kubernetes 服务 FQDN 作为主题备用名称。
问题是 a) 入口控制器直接使用的证书?b) 入口控制器使用的某些中间证书?c) 密钥交换协议存在问题?d) http 服务器自己的自签名证书存在问题?
提前致谢
答案1
事实证明,问题出在我的自签名证书上,该证书使用的是 sha1 签名算法。在将其正确更改为 sha256 签名算法后,问题就解决了。
IE
openssl req -new -key mykey.pem -out /tmp/mycsr.csr -config myconfig.properties -sha256
openssl x509 -req -days 3650 -sha256 -in /tmp/mycsr.csr -signkey mykey.pem -out /tmp/mycert.cert -extensions req_ext -extfile myconfig.properties
myconfig.properties 为
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C=Country
ST=State
L=City
O=O
OU=OU
emailAddress=myemail@domain
CN = default.svc.cluster.local
[ req_ext ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[ alt_names ]
DNS.0 = *.default.svc.cluster.local