Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
n
nick fury
06/21/2022, 1:44 PMwhen im trying load my fleet webserver at k8s I am getting the error message "Error: tls: no cipher suite supported by both client and server". does anyone know the solution for this problem?
thanks.
👀 2
l
Luke Heath
06/21/2022, 4:50 PMHi Nick, happy to help you troubleshoot. Can you let me know what your infrastructure looks like? Are you deploys k8s on AWS EC2? Are you using a load balancer like ALB?
n
nick fury
06/21/2022, 8:42 PM@Luke Heath load balancer
z
zwass
06/21/2022, 9:24 PMWhere is that being logged?
n
nick fury
06/22/2022, 6:56 AMat the pod of the fleet web server
the load balancer is f5
l
Luke Heath
06/22/2022, 4:16 PMIt sounds like the F5 configuration is not setup with a modern set of ciphers or doesn't have TLS 1.2 turned on. Try referencing https://support.f5.com/csp/article/K01770517 and make sure you are using a TLS 1.2 cipher.
If that's not the issue, other thoughts would be TLS to redis or MySQL from fleet could have a cipher issue depending upon the specific log entries. In that case, you'd want to check the logs there.
n
nick fury
06/23/2022, 6:57 AM@Luke Heath
if it helps when i used the ALB at fleet 3.5.1 (not k8s) it worked well and when i tried to update to k8s to fleet 4.9.1 that error happens to the ALB
z
zwass
06/23/2022, 3:37 PMSeems like it might be because the Go version was bumped between those releases and that removed some really old ciphers from the Go server support.
Maybe it's easiest to turn off TLS termination on Fleet and just let your LB terminate without reencryption?
n
nick fury
06/26/2022, 8:01 AM@zwass am I turning off tls termination with the flag:
server:
tls: falsez
zwass
06/27/2022, 6:52 PMThat looks right
n
nick fury
07/10/2022, 10:32 AMhttps://osquery.slack.com/archives/C01DXJL16D8/p1655998638636819?thread_ts=1655819083.815489&cid=C01DXJL16D8
@zwass @Luke Heath can you tell me from what fleet version that happened?
👀 1
k
Kathy Satterlee
07/16/2022, 6:16 PMIt looks like that bump happened in 3.13.0
:ty: 1