kong icon indicating copy to clipboard operation
kong copied to clipboard

Published 20 hours ago verified publisher icon Kong

Error: attempt to index local 'ssl' (a nil value) for Kong >= 3.6.0 when KONG_PG_SSL=on

Open salyh opened this issue 1 year ago • 5 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

Kong version ($ kong version)

Kong 3.6.1

Current Behavior

I have a postgres 15 running as saas and i want connect kong to it. I need to set KONG_PG_SSL=on (if i dont i get "failed to retrieve PostgreSQL server_version_num: FATAL: pg_hba.conf rejects connection for host "xxx.xxx.xxx.xx")

With Kong >= 3.6.0 i receive an error "attempt to index local 'ssl' (a nil value)". Kong 3.5 works as expected.

docker run  --rm  \
  -e "KONG_PG_DATABASE=kongdb" \
  -e "KONG_PG_HOST=postgres15.saas.domain.com" \
  -e "KONG_PG_PORT=5432" \
  -e "KONG_PG_PASSWORD=secret" \
  -e "KONG_PASSWORD=123456" \
  -e "KONG_PG_SSL=on" \
  kong:3.6.1 kong migrations bootstrap

results in

2024/05/26 02:01:15 [warn] 1297#0: *2 [lua] nginx.lua:300: get_ngx_ssl_from_socket_ctx(): note resty.openssl.auxiliary.nginx is using plain FFI and it's only intended to be used in development, consider using lua-resty-openssl.aux-module in production., context: ngx.timer
**Error: attempt to index local 'ssl' (a nil value)**

whereas

docker run  --rm  \
  -e "KONG_PG_DATABASE=kongdb" \
  -e "KONG_PG_HOST=postgres15.saas.domain.com" \
  -e "KONG_PG_PORT=5432" \
  -e "KONG_PG_PASSWORD=secret" \
  -e "KONG_PASSWORD=123456" \
  -e "KONG_PG_SSL=on" \
  kong:3.5 kong migrations bootstrap

works well.

Expected Behavior

No error message and db gets bootstrapped for Kong >= 3.6.0

Steps To Reproduce

docker run --rm
-e "KONG_PG_DATABASE=kongdb"
-e "KONG_PG_HOST=postgres15.saas.domain.com"
-e "KONG_PG_PORT=5432"
-e "KONG_PG_PASSWORD=secret"
-e "KONG_PASSWORD=123456"
-e "KONG_PG_SSL=on"
kong:3.6.1 kong migrations bootstrap

Anything else?

No response

salyh avatar May 26 '24 02:05 salyh

https://docs.konghq.com/gateway/changelog/#3600

In OpenSSL 3.2, the default SSL/TLS security level has been changed from 1 to 2. This means the security level is set to 112 bits of security. As a result, the following are prohibited: RSA, DSA, and DH keys shorter than 2048 bits ECC keys shorter than 224 bits Any cipher suite using RC4 SSL version 3 Additionally, compression is disabled.

Bumped OpenSSL from 3.1.4 to 3.2.1 #12264

@salyh Thanks for your report. Could you please check the TLS settings of your Postgres database? This issue might be caused by the behavior changes of OpenSSL.

ADD-SP avatar May 27 '24 06:05 ADD-SP

seems to be the same issue as https://github.com/Kong/kong/issues/12702

weberpatr avatar May 27 '24 07:05 weberpatr

Thanks to @weberpatr. @fffonion Any update on this issue?

ADD-SP avatar May 27 '24 07:05 ADD-SP

Seems 3.7.x is imminent to fix the postgres TLS issues, see here for a possible workaround too: https://github.com/Kong/kong/issues/12702#issuecomment-2136370793

jeremyjpj0916 avatar May 29 '24 01:05 jeremyjpj0916

It's fixed in 3.7, please refer to https://github.com/Kong/kong/issues/12592.

Water-Melon avatar May 30 '24 06:05 Water-Melon

can confirm the issue is solved after updating to 3.7 thanks a lot!

weberpatr avatar Jun 05 '24 05:06 weberpatr