5

I'm writing a simple web crawler inside Docker Alpine image. However I cannot send HTTPS requests to servers that support only TLS1.0 . How can I configure Alpine linux to allow obsolete TLS versions?

I tried adding MinProtocol to /etc/ssl/openssl.cnf with no luck.

Example Dockerfile:

FROM node:12.0-alpine

RUN printf "[system_default_sect]\nMinProtocol = TLSv1.0\nCipherString = DEFAULT@SECLEVEL=1" >> /etc/ssl/openssl.cnf

CMD ["/usr/bin/wget", "https://www.restauracesalanda.cz/"]

When I build and run this container, I get

Connecting to www.restauracesalanda.cz (93.185.102.124:443)
ssl_client: www.restauracesalanda.cz: handshake failed: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
wget: error getting response: Connection reset by peer
amik
  • 5,613
  • 3
  • 37
  • 62

2 Answers2

3

I can reproduce your issue using the builtin-busybox-wget. However, using the "regular" wget works:

root@a:~# docker run --rm -it node:12.0-alpine /bin/ash
/ # wget -q https://www.restauracesalanda.cz/; echo $?
ssl_client: www.restauracesalanda.cz: handshake failed: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
wget: error getting response: Connection reset by peer
1
/ # apk add wget
fetch http://dl-cdn.alpinelinux.org/alpine/v3.9/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.9/community/x86_64/APKINDEX.tar.gz
(1/1) Installing wget (1.20.3-r0)
Executing busybox-1.29.3-r10.trigger
OK: 7 MiB in 17 packages
/ # wget -q https://www.restauracesalanda.cz/; echo $?
0
/ #

I'm not sure, but maybe you should post an issue at https://bugs.alpinelinux.org

bratkartoffel
  • 1,127
  • 1
  • 13
  • 37
  • Thanks, installing "regular" wget helped. I'm also not sure if this is an issue, TLS1.0 being disabled by default is legit I think. I just haven't found a way to enable it and I'm not good in linux administration enough to say if wget should respect what I've added to openssl config. Anyway, this regular wget works even without configuring openssl. – amik May 07 '19 at 11:01
  • 1
    @amik maybe you could enable TLS 1.0 with `sed -i 's/MinProtocol = TLSv1.2/MinProtocol = TLSv1.0/g' /etc/ssl/openssl.cnf` – Qtax Aug 05 '19 at 16:25
  • Builtin busybox-wget doesn't support `openssl.cnf`, so setting MinProtocol there has no effect. The settings are fixed and set at compile-time – bratkartoffel Aug 06 '19 at 06:43
0

Putting this magic 1 liner into my dockerfile solved my issues and i was able to use TLS 1.0:

RUN sed -i 's/MinProtocol = TLSv1.2/MinProtocol = TLSv1/' /etc/ssl/openssl.cnf \ && sed -i 's/CipherString = DEFAULT@SECLEVEL=2/CipherString = DEFAULT@SECLEVEL=1/' /etc/ssl/openssl.cnf

Credit goes to this dude: http://blog.travisgosselin.com/tls-1-0-1-1-docker-container-support/

Ieaun Roberts
  • 1
  • 1