New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
verify_outgoing
not supported on gRPC listener; verify_incoming
breaks Consul Connect envoy sidecars
#13088
Comments
the same issue applies to consul |
just another note, the same issue applies in all combinations of consul |
The PR that changed this config parsing was #12504, which may be helpful in tracking down a possible regression - specifically the change in |
Reports of this issue have been showing up in a few Nomad channels. I just want to clarify that this bug is not related to Nomad and can be reproduced using only Consul / envoy.
|
indeed - with or without nomad managing the sidecar configuration, consul 1.12.0 is completely unable to interop with envoy with the introduction of this regression |
We (Consul Core) are looking into this and should have some feedback for you shortly. |
Hi @quinndiggitypolymath 👋🏻 Thanks for the report! It looks like this is a regression in the way we handle the (now deprecated) top-level Prior to 1.12, it wasn't possible to enable TLS client-auth on Consul's gRPC port. From 1.12 onwards, you can enable it with We should be maintaining the old behavior when translating from the deprecated If you're using the new-style TLS configuration, you can explicitly disable it by setting In the future, we may want to update the |
@boxofrad, while I appreciate the suggested workaround, the preference would really be to correctly leverage mTLS on envoy's gRPC client connections, so as to not require the disabling of this rather important validation; hopefully the following is a relevant/useful overview of the method envoy exposes in order to do so: https://www.envoyproxy.io/docs/envoy/latest/start/quick-start/securing#use-mutual-tls-mtls-to-connect-with-client-certificates
|
A viable workaround I believe would be leveraging |
specifically how to configure the gRPC tls client keypair in envoy's specific implementation, as the
|
and on the nomad side:
|
last note until I can revisit this issue, as we use vault as the CA for consul/connect, the keypair itself on the nomad side is straightforward via:
|
The envoy specifics of this seem to be:
|
and seems to be leveraged in other areas within consul: Line 11 in 21e855d
|
the consumed by called by (just thinking out loud as I poke around) |
There's the template that'd likely need to be adjusted: https://github.com/hashicorp/consul/blob/v1.12.0/command/connect/envoy/bootstrap_tpl.go#L129 |
Seems
would need to leverage
|
So, potentially:
plus the templating logic |
|
|
So, potentially:
plus the templating logic |
|
yeah, with:
altering the config to include:
and starting with:
envoy is starting up without complaints so that's half the issue sorted |
not a great discovery that gRPC hasn't been validating incoming connections' tls credentials to-date 😑 at least there is |
just until the fix is ready (@boxofrad, pleeeease don't make the default both insecure + unconfigurable; let's fix this vulnerability, not suppress it), a quick means of altering/fixing the envoy bootstrap config is:
where a little more involved on the nomad side, as it requires a prestart task to generate the ultimately this needs the lastly, rather than
|
edit: meant https://github.com/hashicorp/consul/blob/v1.12.0/command/connect/envoy/bootstrap_tpl.go#L5 |
and |
Thanks for taking the time to research this so thoroughly, @quinndiggitypolymath! The approach you mentioned is actually very similar to the way in which we configure mutual-TLS on connections between sidecar proxies in the service mesh. As for Envoy's xDS (gRPC) connections to the Consul agent, these are currently authenticated with an ACL token via the Though it would be possible to have Envoy present a client certificate and for the Consul agent to verify it (your code snippets are on the right tracks) it wouldn't necessarily improve your security posture and would require quite a bit of PKI maintenance overhead. To expand on this: it wouldn't be advisable to give your Envoy sidecars access to the agent's private certificate/key (as this is trusted by Consul servers to secure internal RPC traffic) so you'd need to generate and distribute new client certificates for Envoy, signed by a separate CA. In any case, we'd still rely on ACL tokens for authentication/authorization, requiring client certificates would just provide an additional layer of security by preventing random clients from connecting - which isn't a huge concern as, by default, Consul agents will only bind the gRPC port to the loopback interface. |
Fixes #13088 This is a backwards-compatibility bug introduced in 1.12.
Fixes #13088 This is a backwards-compatibility bug introduced in 1.12.
1.12.0
verify_outgoing
not supported on gRPC listener; verify_incoming
breaks Consul Connect envoy sidecars
@boxofrad, would you be opposed to keeping this issue to track future work on implementing |
Regarding this, envoy doesn't drop permissions as a child process of consul, so it already has access to the agent's private certificate/key |
As well, since |
Defense in depth, etc, etc |
Hi 👋🏻 Help @quinndiggitypolymath ! 😅 I think, i'm in similar situation: #16617 I tried to create a separated CA and cert, but I have always an error. What is the solution you find? Thanks |
Consul does not support incoming TLS verification of Envoy. This failure results in hard-to-understand errors like `SSLV3_ALERT_BAD_CERTIFICATE` in the Envoy allocation logs. Leave a warning about this to users. Closes: #19772 Closes: #16854 Ref: hashicorp/consul#13088
…9970) Consul does not support incoming TLS verification of Envoy. This failure results in hard-to-understand errors like `SSLV3_ALERT_BAD_CERTIFICATE` in the Envoy allocation logs. Leave a warning about this to users. Closes: #19772 Closes: #16854 Ref: hashicorp/consul#13088
…ncoming` Consul does not support incoming TLS verification of Envoy. This failure results in hard-to-understand errors like `SSLV3_ALERT_BAD_CERTIFICATE` in the Envoy allocation logs. Leave a warning about this to users. Closes: #19772 Closes: #16854 Ref: hashicorp/consul#13088
…ncoming` Consul does not support incoming TLS verification of Envoy. This failure results in hard-to-understand errors like `SSLV3_ALERT_BAD_CERTIFICATE` in the Envoy allocation logs. Leave a warning about this to users. Closes: #19772 Closes: #16854 Ref: hashicorp/consul#13088
…ncoming` (#19977) Consul does not support incoming TLS verification of Envoy. This failure results in hard-to-understand errors like `SSLV3_ALERT_BAD_CERTIFICATE` in the Envoy allocation logs. Leave a warning about this to users. Closes: #19772 Closes: #16854 Ref: hashicorp/consul#13088 Co-authored-by: Tim Gross <tgross@hashicorp.com>
…ncoming` (#19976) Consul does not support incoming TLS verification of Envoy. This failure results in hard-to-understand errors like `SSLV3_ALERT_BAD_CERTIFICATE` in the Envoy allocation logs. Leave a warning about this to users. Closes: #19772 Closes: #16854 Ref: hashicorp/consul#13088 Co-authored-by: Tim Gross <tgross@hashicorp.com>
…shicorp#19970) Consul does not support incoming TLS verification of Envoy. This failure results in hard-to-understand errors like `SSLV3_ALERT_BAD_CERTIFICATE` in the Envoy allocation logs. Leave a warning about this to users. Closes: hashicorp#19772 Closes: hashicorp#16854 Ref: hashicorp/consul#13088
…shicorp#19970) Consul does not support incoming TLS verification of Envoy. This failure results in hard-to-understand errors like `SSLV3_ALERT_BAD_CERTIFICATE` in the Envoy allocation logs. Leave a warning about this to users. Closes: hashicorp#19772 Closes: hashicorp#16854 Ref: hashicorp/consul#13088
Configuration that has worked sans issues from as early as consul
1.8.0
to1.11.4
+1.11.5
, and has no issues with envoy1.18.4
,1.18.6
, or1.20.2
(but lacks support for envoy1.22.0
), is broken in consul1.12.0
.It seems consul
1.12.0
is no longer properly configuring envoy's gRPC client's TLS keypair causing:SSL routines:OPENSSL_internal:SSLV3_ALERT_BAD_CERTIFICATE
for proxies managed by nomad (which also worked without issue for many version) or run with:regardless of the following (redundant) env vars being set:
Is likely due to regressions caused by the recent changes made to decouple the
grpc
/https
/internal_rpc
configurations: https://www.consul.io/docs/upgrading/upgrade-specific#tls-configurationIt seems consul is no longer honouring
verify_outgoing
for envoy's gRPC client outbound connectionsWith or without the following previously fully functional, but now deprecated, options set...:
...all of the following forms all fail to have envoy utilize the configured client keypair:
as well as any of the above utilizing
TLSv1_3
The text was updated successfully, but these errors were encountered: