K
Q

OpenSSL SSL_read: Connection was aborted, errno 10053 (implementing mTLS using istio)

9/23/2021

I am trying to implement mTLS between two services. I am using hashicorp vault to manage certs (CA, clients and servers). After deploying the server using istio gateway with secret generated from respective certs. I am trying to access that server using curl. But I am getting the error:

#pemFiles is chain of root and intermediate CA 
curl -vvv -HHost:<some-host> --resolve "<some-host>:443:<istio-gateway-ip>" --cacert pemFiles  --cert client.crt --key client.key  "https://<istio-gateway-ip>:443/" -Lk
* Added <some-host>:443:<istio-gateway-ip> to DNS cache
* Hostname <some-host> was found in DNS cache     
*   Trying <istio-gateway>:443...
* Connected to <some-host> (<istio-gateway-ip>) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations: 
*  CAfile: pemFiles
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):        
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):       
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS handshake, CERT verify (15):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=5402476c-df7d-44bc-9c1b-b0a6afb931d7
*  start date: Sep 23 21:28:29 2021 GMT
*  expire date: Oct 25 21:28:58 2021 GMT
*  issuer: CN=<our-domain>
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x293ec1a2fb0)
> GET / HTTP/2
> Host:<some-host>
> user-agent: curl/7.75.0
> accept: */*
>
* OpenSSL SSL_read: Connection was aborted, errno 10053
* Failed receiving HTTP2 data
* OpenSSL SSL_write: Connection was aborted, errno 10053
* Failed sending HTTP2 data
* Connection #0 to host <some-host> left intact
curl: (56) OpenSSL SSL_read: Connection was aborted, errno 10053

When I use the same steps with certs generated manually using OpenSSL, I am not getting any such issue. When I pass the "--http2" with curl command:

 TLSv1.3 (IN), TLS alert, unknown CA (560):
* OpenSSL SSL_read: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca, errno 0
* Failed receiving HTTP2 data
* OpenSSL SSL_write: SSL_ERROR_ZERO_RETURN, errno 0
* Failed sending HTTP2 data
* Connection #0 to host <some-host> left intact
curl: (56) OpenSSL SSL_read: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca, errno 0
-- Ashwani
https
istio
istio-gateway
kubernetes
openssl

Similar Questions

using azure signalR Service with Kubernetes ( Azure AKS)
kubectl expose pods using selector as a NodePort service via command-line
Bad Gateway when trying to access to http://sge-api.local via minikube / traefik
PromQL query for getting the namespace CPU usage clusterwide
How can I connect to a USB Device from a Kubernetes Service?

1 Answer

10/18/2021

A workaround found by OP, in the comments.

The issue was with OP's cert-manager. As a workaround use root CA cert instead of intermediate CA.

-- p10l
Source: StackOverflow