Details
-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
13.0.0.Final
-
None
Description
Summary
It seems that when using OpenShift generated certificates and client auth (with want-client-auth="true") the TLS handshake fails with RECV TLSv1.2 ALERT: fatal, record_overflow message.
Explanation
I'm using oc cluster up and deploying Keycloak (WF 13 based) on OpenShift local cluster using the (1) template. The service in the the template uses OpenShift generated certificates ("service.alpha.openshift.io/serving-cert-secret-name": "keycloak-x509-https-secret"). Both files are mounted in the Keycloak pod and translated into keystore and truststore (see the configuration after the transformation (2)). Once the pod is up and running, I'm issuing a curl command as shown in (3). curl fails saying that * error:1408F092:SSL routines:ssl3_get_record:data length too long. The server logs with TLS Handshake debugging turned on might be found here (4). As shown in the link, the server has written 16384 bytes.
I also did a test with manually created certificates (5). The result might be found here (6). As shown in the link, we've written 16050 bytes instead of 16384 and the handshake was successful.
Possible solution
Perhaps we should cut the list CAs transmitted by the server when asking for client auth when it exceeds certain number of bytes. It would be helpful to write a warn message too.
Links:
- (1) Keycloak OCP Template https://gist.github.com/slaskawi/57ed810a7109a02a9d884b61ce2e7f13
- (2) Transformed configuration https://gist.github.com/slaskawi/92aead6c519b867621129b640b4a3c88
- (3) curl command https://gist.github.com/slaskawi/3bc32b8e96c2499cb7b48c3c5cb28616
- (4) https://gist.github.com/slaskawi/b6477fe3cd65890c879cfe6f95359450#file-logs-bad-L1485
- (5) Keycloak and OpenShift integration demo https://github.com/keycloak/openshift-integration/blob/master/install-keycloak#L11-L22
- (6) https://gist.github.com/slaskawi/7fd87e1f2e6c4faf657d9e8289ed3392#file-logs-good-L1383
