8000 Alpine 3.17 images causes SSL Error "unsafe legacy renegotiation disabled" · Issue #4332 · dotnet/dotnet-docker · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
Alpine 3.17 images causes SSL Error "unsafe legacy renegotiation disabled" #4332
New issue
New issue
Closed as not planned
Closed as not planned
Alpine 3.17 images causes SSL Error "unsafe legacy renegotiation disabled"#4332
Labels
area-documentationbuguntriaged
@dstj

Description

@dstj
dstj
opened on Jan 14, 2023

After upgrading the dotnet/runtime and dotnet/sdk Docker images I'm using to the latest 6.0-alpine (i.e. upgrading from 6.0-alpine3.16 to 6.0-alpine3.17), I get the following SSL "unsafe legacy renegotiation disabled" error when trying to reach an endpoint that only accepts TLSv1.2 (I know this because disabling TLSv1.2 in Postman results in an error and disabling everything but TLSv1.2 succeeds)

"Exception": "System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
 ---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
 ---> Interop+OpenSsl+SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL.
 ---> Interop+Crypto+OpenSslCryptographicException: error:0A000152:SSL routines::unsafe legacy renegotiation disabled

My C# code only defines ServicePointManager.SecurityProtocol = SecurityProtocolType.SystemDefault; for SSL/TLS protocols, nothing else, and it works great with the Alpine 3.16 image.

I read in the changelog that Alpine 3.17 now uses OpenSSL 3.0, so I'm guessing that has something to do with it...

Dockerfile

My Dockerfile looks like this:

FROM mcr.microsoft.com/dotnet/runtime:6.0-alpine AS base-runtime
RUN apk update \
&& apk add gcompat curl icu-libs \
&& apk add libgdiplus --no-cache --repository http://dl-3.alpinelinux.org/alpine/edge/testing/ \
&& apk add msttcorefonts-installer fontconfig --no-cache \
&& update-ms-fonts \
&& fc-cache -f
ENV DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=false
RUN adduser -D svcuser

FROM mcr.microsoft.com/dotnet/sdk:6.0-alpine AS build-dotnet-0
WORKDIR /app
COPY myapp.csproj
RUN dotnet restore --runtime linux-musl-x64 --packages .nuget myapp.csproj

FROM build-dotnet-0 AS build-dotnet
ARG VERSION
COPY --from=build-dotnet-0 /app/.nuget /app/.nuget
WORKDIR /app
COPY . ./
RUN dotnet publish ./myapp.csproj --packages .nuget --configuration Release --runtime linux-musl-x64 --self-contained=true -p:UseAppHost=true -p:IsDockerBuild=true -p:PublishReadyToRun=true -p:PublishReadyToRunShowWarnings=true -p:Version=${VERSION} --output /app/publish

FROM base-runtime AS final
WORKDIR /app
COPY --from=build-dotnet --chown=svcuser /app/publish .
USER svcuser

Output of docker version]

Client:
 Cloud integration: v1.0.29
 Version:           20.10.21
 API version:       1.41
 Go version:        go1.18.7
 Git commit:        baeda1f
 Built:             Tue Oct 25 18:08:16 2022
 OS/Arch:           windows/amd64
 Context:           default
 Experimental:      true

Server: Docker Desktop 4.15.0 (93002)
 Engine:
  Version:          20.10.21
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.18.7
  Git commit:       3056208
  Built:            Tue Oct 25 18:00:19 2022
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.10
  GitCommit:        770bd0108c32f3fb5c73ae1264f7e503fe7b2661
 runc:
  Version:          1.1.4
  GitCommit:        v1.1.4-0-g5fd4c4d
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

Output of docker info

Client:
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc., v0.9.1)
  compose: Docker Compose (Docker Inc., v2.13.0)
  dev: Docker Dev Environments (Docker Inc., v0.0.5)
  extension: Manages Docker extensions (Docker Inc., v0.2.16)
  sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc., 0.6.0)
  scan: Docker Scan (Docker Inc., v0.22.0)

Server:
 Containers: 3
  Running: 3
  Paused: 0
  Stopped: 0
 Images: 73
 Server Version: 20.10.21
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 770bd0108c32f3fb5c73ae1264f7e503fe7b2661
 runc version: v1.1.4-0-g5fd4c4d
 init version: de40ad0
 Security Options:
  seccomp
   Profile: default
 Kernel Version: 4.19.128-microsoft-standard
 Operating System: Docker Desktop
 OSType: linux
 Architecture: x86_64
 CPUs: 16
 Total Memory: 7.772GiB
 Name: docker-desktop
 ID: YY76:Y4EB:JMM6:RL5G:WAGB:GBQN:GNCB:LWF4:BDQC:NEJE:EHLE:AUS4
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 No Proxy: hubproxy.docker.internal
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  hubproxy.docker.internal:5000
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No blkio throttle.read_bps_device support
WARNING: No blkio throttle.write_bps_device support
WARNING: No blkio throttle.read_iops_device support
WARNING: No blkio throttle.write_iops_device support
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

Metadata

Metadata

Assignees

No one assigned

    Labels

    area-documentationbuguntriaged

    Type

    No type

    Projects

    .NET Docker

    Status

    Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      0