cryptomb: ssl handleshake always failed in tlsv1.2 #21198
Description
cryptomb: ssl handleshake always failed in tlsv1.2
@ipuustin
Openssl client can't complete ssl handleshake in tlsv1.2 protocol , but can complete tls handshake when use tlsv1.3 protocol.if connect server with tlsv1.2 protocol, envoy will reset the connection.
The difference seems to be in the order of the signature algorithms
Although client hello message offer many signature algorithm, crymtomb always use first signature method.
In the pr, cryptomb remove PKCS1_5 padding support and rsa_pkcs1_sha512 is the first order signature in the client hello message.
In tls1.3 rsa_pss_rsae_sha512 is the first signature algorithm, cymtomb can complete the tls handshake.
- sds config *
{
"@type":"type.googleapis.com/envoy.admin.v3.SecretsConfigDump",
"dynamic_active_secrets":[
{
"name":"kubernetes://f53e12d9e545d73f29584d18e00d1cb8",
"version_info":"2022-05-09T11:24:12+08:00/3",
"last_updated":"2022-05-09T03:24:12.052Z",
"secret":{
"@type":"type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret",
"name":"kubernetes://f53e12d9e545d73f29584d18e00d1cb8",
"tls_certificate":{
"certificate_chain":{
"inline_bytes":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQrakNDQWVJQ0FRRXdEUVlKS29aSWh2Y05BUUVMQlFBd1JURU9NQXdHQTFVRUNnd0ZTWE4wYVc4eEdEQVcKQmdOVkJBTU1EMGx1ZEdWeWJXVmthV0YwWlNCRFFURVpNQmNHQTFVRUJ3d1FaR2x1WjJScGJtY3RhVzVuY21WegpjekFlRncweU1URXlNVFl4TnpRMU1qaGFGdzB6TVRFeU1UUXhOelExTWpoYU1FRXhJREFlQmdOVkJBTU1GMkpqCmNDNXRjMlV1WVd4cFltRmlZUzFwYm1NdVkyOXRNUjB3R3dZRFZRUUtEQlJCYkdsaVlXSmhJRzl5WjJGdWFYcGgKZEdsdmJqQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUtqUytOVzJ2WWNxbTZXRwpERTdJV1pCMzltdi9RaGlIWERPL0Jaa0R2YmdyUHkyaG1MOS9OZWVQNVpycUI2V0hjYitoREJjTnJmenZOb3pPCitqM0svbzJqSUVyenJrTy9jK3Y5K3hwTkVMbDllRlFZUUdrdCs0a1VxSUM0NEh2U0tleXFNeE95TjQxS25Cc1cKSlU5UDFnSjJ1SmZML3prdkZZRU1lZnJZRzlGNkQ1VWc0NWx5N0xvRWlzVkgyWjNCblN5R1VHWWJ6SEx2RXErcgpCdlZkc3VhNnJGbDc2dGdJZnNxWE15cE9sbWlCMmUyQTBndHlRS1p4WHZndFE3WnI2YmZZbkIyMStOTkkydHlGCkNTZ0ZmK3JGQ1BKWGlyZkpIT3ltMDVVZFhvTjJyeXN6alJrUHJ0SSs4VWxsUEpqVXY3dWloTk43M2xYWkdVY0oKQVk0RVZCY0NBd0VBQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQWdFQUVpcHMxOHk4NWdCN0VJbGwvWWduV0xlOApJblFrTGh0NmZNQ2J0MVEyVDhKcVZ2L0ZsTUZIb090TWZYQnljUmxsMDBTTlF1MXZkZGJHc2tKenNrSjlraEhHCld4THV5TGdPTXlMTGNGVUp1bG9GTzd2L1VMZi9Td2VLbEVuVHNaZDVhcWM0M0JZeURrd2JPU1p2dTVWOS9PdWoKMlBsRHJTRERXWWFVb281OXBCdVNhajhnQ2IwMFAwYldaSi9YWlZMYUxFL1Vvd3g1Q1NvTFhFRE1RVDlsZy85KwppaUowNG5ycUYzcTc1K2J6dmhjaTNSMTJCUnZpenNNbGNUYU1BdXhhdmRrM2ZyZHhTckxBRVNVT3RBZDJFVTkwCkNBVXFSVHRJckdXRTdhOCsrcWIrL2QxSy91OElhd096d01yU1pwblZoR2JDeVd0QVhZV2NRYW1PVmIzcCtrK0kKWW9DTk9xUlI2UEtSNWFacmRmL2k3WW9vcnFXM1prckxOSUxrdWRCUUNtOEFOZitncGEvQ0ttY2pCKzgzNVZjSwphWVg1c2o0Mnk5dVlWeWgrNjFKUmNKdXJRMkFkZWY0S2hXTWdpcXllWlhSQitQTEgxSzVLYVN0RjA3NHd4Q01CCnd2cmtjL1gwQUM5RFBXa0hERnZTeEpVaFZSRVhHOFk1N04zWDZwQkozRmtCbmRJcXorQS9zaUo0UDRVd1F0Rm0KSHhZaGxzZ29oY3pzREJGOCtkbGtncTdGS2UvemxuWWZJL1htbVRzNEhxcWFMdlNrL0FZMWkrazUyL09vR25wSgo5K2RhbUs3dmtGSlZoZU0wcWx0cXBpbm93bXV6K1AwS2ZnR1ZVbFNKTTJJbnl0aDJHVXBsL01iM1lvSmtRK1piCmxtdEZVaEZMUFVncWtMd2RiNHc9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
},
"private_key_provider":{
"provider_name":"cryptomb",
"typed_config":{
"@type":"type.googleapis.com/envoy.extensions.private_key_providers.cryptomb.v3alpha.CryptoMbPrivateKeyMethodConfig",
"private_key":{
"inline_bytes":"W3JlZGFjdGVkXQ=="
},
"poll_delay":"0s"
}
}
}
}
}
]
}