We Keep Coding

TLS termination (encryption/decrytion) via proxy for non HTTP protocol

The protocol in question is the MRCP v2 protocol.
Problem overview:
The client sends MRCP/TLS requests, and the server can't understand these since it doesn't have the ability to perform a TLS handshake or encryption. I am hoping that HAProxy, or any other proxy (Nginx?) will decrypt these TLS packets, and send it to the server, to which the server can respond, and then HAProxy can encrypt and send it back to the client.
If possible, I also want a way to extend this to the SIP protocol. From what I understood of HAProxy, it can't do TLS termination for TCP (layer 4), only HTTP (layer 7). Is there any work around/alternative to this?

You are looking for NGINX and its ngx_stream_ssl_module. It allows you to encrypt arbitrary TCP traffic (doesn't have to be HTTP). No special installation is required. Just install NGINX and front it to your server instead of HAProxy or whatever TLS terminator. Configuration is straightforward:
stream {
...
server {
listen 12345 ssl;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
ssl_certificate /usr/local/nginx/conf/cert.pem;
ssl_certificate_key /usr/local/nginx/conf/cert.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
...
}
}
Client -> NGINX (stream TLS termination) -> whichever TCP protocol.
NGINX will only do TLS encryption without inspecting the underlying protocol.

TLS handshake through Istio ingress gateway fails (tlsMode=passthrough)

A TLS handshake from an external client to a server inside a Kubernetes cluster fails. This is about understanding why.
I've configured an Istio ingress gateway to pass through TLS received on port 15433, and route it to the server on port 433.
The ingress gateway logs shows activity when the client attempts the TLS handshake, but not the server logs, nor the istio-proxy logs.
TLS client:
openssl s_client \
-connect [redacted]-[redacted].us-west-2.elb.amazonaws.com:15443 \
-servername myservice.mynamespace \
-CAfile /path/to/ca.cert \
-cert /path/to/cert.pem \
-key /path/to/cert.key <<< "Q"
logs
CONNECTED(00000006)
140090868934296:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 298 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1600987862
Timeout : 300 (sec)
Verify return code: 0 (ok)
Istio ingress gateway logs:
"- - -" 0 - "-" "-" 298 0 1069 - "-" "-" "-" "-" "192.168.101.136:443" outbound|443||myservice.mynamespace.svc.cluster.local 192.168.115.141:42350 192.168.115.141:15443 192.168.125.206:23298 myservice.mynamespace -
where 192.168.101.136 is the IP of the myservice pod and 192.168.115.141 is the IP of the ingressgateway pod.
Based on the IPs, this means the client connection reached the gateway, the gateway seems to have applied the virtualservice route and logged that it was forwarding this to the pod. Seems normal, except the istio-proxy on the pod shows no activity nor the server logs (though the server doesn't log stuff happening at the transport layer).
AFAIK the server is properly configured for TLS as the following port-forwarded TLS handshake succeeds:
kubectl port-forward -n mynamespace service/myservice 4430:443 &
openssl s_client \
-connect localhost:4430 \
-CAfile /path/to/ca.cert \
-cert /path/to/cert.pem \
-key /path/to/cert.key <<< "Q"
# I get back a TLS session ID, looks good.
So this points to a problem with istio's gateway or virtualservice configuration.
Gatway:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: mygateway
namespace: mynamespace
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 15443
name: tls-passthrough
protocol: TLS
tls:
mode: PASSTHROUGH
hosts:
- "*"
Virtual Service:
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: myservice
namespace: mynamespace
spec:
hosts:
- "*"
gateways:
- mygateway
tls:
- match:
- port: 15443
sniHosts:
- myservice.mynamespace
route:
- destination:
host: myservice
port:
number: 443
Kubernetes Service:
apiVersion: v1
kind: Service
metadata:
name: myservice
namespace: mynamespace
labels:
app: myservice
spec:
selector:
app: myservice
ports:
- protocol: TCP
port: 443
targetPort: 443
name: grpc-svc
UPDATE:
Actually the TLS traffic from the client does reach the server pod, I've confirmed this by doing tcpdump port 443 on the server pod and seeing packets when I run the openssl s_client command. Unclear why istio-proxy on the pod didn't show this, that doesn't explain why the handshake fails.
I noticed something else. Passing -msg flag to openssl s_client, I see nothing coming back, after ">>>" there's no "<<<", yet the tcpdump shows the server pod sending packets back to the gateway.

There were 2 bugs in my configuration:
in the configuration of my Kubernetes service. Unfortunately the name of my TCP port 443 was grpc-svc and that breaks TLS passthrough. Renaming this port to tcp-svc resolves the problem.
I should not be using ingress port 15443, that seems to be reserved for something else. Opening another port 9444 on the ingressgateway, then configuring port 9444 on the gateway exactly as I was configuring port 15443 in my question (i.e. config for TLS passthrough), and then configuring the virtual service to route 9444 exactly as I was configuring the virtual service route for 15433 in my question.
Doing both of these allows openssl s_client from an external client to succeed a TLS handshake to a kubernetes service via the ingress.

Facing Error while running mosquitto broker using TLS with mosquitto

I am trying to use TLS for communicating over mqtt. I have ubuntu installed in my system. For using TLS, I have created certificates using the below link:
http://www.embedded101.com/Blogs/PaoloPatierno/entryid/366/mqtt-over-ssl-tls-with-the-m2mqtt-library-and-the-mosquitto-broker
I am able to create certificates. I have removed bind_address from config file. I am starting mosquitto with the new config file with mosquitto -c mosquitto_m2mqtt.conf -v. Mosquitto starts, but when I run mosquitto_sub command, I am getting error as below:
mosquitto -c mosquitto_m2mqtt.conf -v
1551172930: mosquitto version 1.4.8 (build date 2016-09-21 11:21:45+0530) starting
1551172930: Config loaded from mosquitto_m2mqtt.conf.
1551172930: Opening ipv4 listen socket on port 8883.
1551172930: Opening ipv6 listen socket on port 8883.
Enter PEM pass phrase:
1551172960: New connection from 127.0.0.1 on port 8883.
1551172960: OpenSSL Error: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
1551172960: OpenSSL Error: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
1551172960: Socket error on client <unknown>, disconnecting.
In the window that I am subscribing, I am getting error as below:
mosquitto_sub -p 8883 -q 1 -t sensor/temp --cafile /etc/mosquitto/m2mqtt_srv.crt --tls-version tlsv1 -d
Unable to connect (A TLS error occurred.).
Below are the parameters added in config file.
port 8883
cafile /etc/mosquitto/m2mqtt_ca.crt
certfile /etc/mosquitto/m2mqtt_srv.crt
keyfile /etc/mosquitto/m2mqtt_srv.key
tls_version tlsv1

mosquitto_sub and pub needs a host address or ip. For example i use test.mosquitto.org in my local, download the pem formatted certificate file from this site and added to the conf file just this certificate as "cafile". And here is my command:
mosquitto_sub -h test.mosquitto.org -t "test" -p 8883 --cafile "<pem formatted crt file path (downloaded from test.mosquitto.org)>"

Mosquitto TLS, works with MQTTfx but not mosquitto_pub (tlsv1 alert unknown ca)

Quite strange issue
I have mosquitto broker working with TLS
It is correctly accessible by an MQTTfx client set up for 'Enable SSL/TLS, TLSv1.2, CA certificate file'
The same ca.crt file is used by a openwrt mosquitto client issuing
# mosquitto_pub -h x.x.x.x -p 8883 --cafile /etc/mosquitto/certs/ca.crt -i 1.1.1.1 -t test -m 123 -d
it returns
Client 1.1.1.1 sending CONNECT
Error: A TLS error occurred.
At the orher end, the broker, shows
OpenSSL Error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
OpenSSL Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
Socket error on client (null), disconnecting.
What is messing me up is the fact that the MQTTfx client instead is accepted, and it's using the same certificate..!
New connection from y.y.y.y on port 8883.
New client connected from y.y.y.y as 180ce1c04c1944e1964608221efbcf0a (c1, k60).
Sending CONNACK to 180ce1c04c1944e1964608221efbcf0a (0)
Should mean that the certificate is valid and trusted... isn't it?
What's wrong then with the other client using the exact same certificate file ?!?!

...at the end using --insecure option did the job.
Means verification of the server hostname in the server certificate.
Well it works, although using this option in a production environment potentially invalidates the use of encryption.

curl: (35) Unknown SSL protocol error in connection at first request

im trying to authenticate user via xbox live Oauth2.0, but im experiencing this error which appears only at first request (after that it working for few minutes). Im already tried with --sslv*, --tlsv1, --ciphers, nothing helped.
vagrant#vagrant:~$ curl -v https://xsts.auth.xboxlive.com/xsts/authorize
* Hostname was NOT found in DNS cache
* Trying 134.170.178.199...
* Connected to xsts.auth.xboxlive.com (134.170.178.199) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to xsts.auth.xboxlive.com:443
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to xsts.auth.xboxlive.com:443
root#admin:~# curl -v https://xsts.auth.xboxlive.com/xsts/authorize
* Trying 134.170.179.106...
* Connected to xsts.auth.xboxlive.com (134.170.179.106) port 443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 696 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* gnutls_handshake() failed: Error in the pull function.
* Closing connection 0
curl: (35) gnutls_handshake() failed: Error in the pull function.
CURL and OpenSSL versions on local machine and production
vagrant#vagrant:~$ curl --version
curl 7.35.0 (x86_64-pc-linux-gnu) libcurl/7.35.0 OpenSSL/1.0.1f zlib/1.2.8 libidn/1.28 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP
root#admin:~# curl --version
curl 7.47.0 (x86_64-pc-linux-gnu) libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 libidn/1.32 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP UnixSockets
Any help would be appreciated!

i solve that issue by compile and install the curl by http2 support.
you can use this link for that: https://askubuntu.com/questions/884899/how-do-i-install-curl-with-http2-support

I do not know detail of your setup, but the error
Unknown SSL protocol error
Can occur on following scenarios,
The server does not like the SSL protocol used
The server and client are not able to find an agreement on the cipher ( cipher mismatch between server and client )
The certificate or key has expired
try openssl s_client in debug mode for more information