"View in App Metrics" option not available on Apps Manager due to "unsafe legacy renegotiation" error with search-server application
Article ID: 298193
Updated On:
Products
VMware Tanzu Application Service for VMs
Issue/Introduction
The "View in App Metrics" option is not shown on Apps Manager for application overview though "App Metrics" tile is installed on the foundation.
Apps Manager relies on search-server application to proxy related requests for getting metrics. When reviewing search-server app logs in this case, errors like the following could be observed.
In this scenario search-server app needs to access other system components like CAPI/UAA through load balancer (Netscaler) and TLS termination happens at load balancer. Since the load balancer also enables TLS 1.0/1.1, search-server rejects the insecure negotiation.
Apps Manager relies on search-server application to proxy related requests for getting metrics. When reviewing search-server app logs in this case, errors like the following could be observed.
2023-06-29T07:53:35.41+0530 [RTR/2] OUT search-server.sys.pcf.example.com - [2023-06-29T02:23:35.392514821Z] "GET /proxy/home/app-metrics-available HTTP/1.0" 500 0 148 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36" "a.a.a.a:bb" "c.c.c.c:dd" x_forwarded_for:"x.x.x.x" x_forwarded_proto:"https" vcap_request_id:"73034460-9ebc-4d94-5761-9614f6db5cd1" response_time:0.021772 gorouter_time:0.000172 app_id:"f90b2adf-2645-4594-b3d2-3102c5bf43e0" app_index:"1" instance_id:"aac511a4-44ce-45be-4cac-b917" x_cf_routererror:"-" x_b3_traceid:"3b1af19184d6ad951af93cf611146ede" x_b3_spanid:"1af93cf611146ede" x_b3_parentspanid:"-" b3:"3b1af19184d6ad951af93cf611146ede-1af93cf611146ede" 2023-06-29T07:53:35.41+0530 [APP/PROC/WEB/1] ERR Error: write EPROTO C0873B20CB7F0000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:../deps/openssl/openssl/ssl/statem/extensions.c:922: 2023-06-29T07:53:35.41+0530 [APP/PROC/WEB/1] ERR at WriteWrap.onWriteComplete [as oncomplete] (node:internal/stream_base_commons:94:16) 2023-06-29T07:53:35.63+0530 [APP/PROC/WEB/1] ERR Error: write EPROTO C0873B20CB7F0000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:../deps/openssl/openssl/ssl/statem/extensions.c:922: 2023-06-29T07:53:35.63+0530 [APP/PROC/WEB/1] ERR at WriteWrap.onWriteComplete [as oncomplete] (node:internal/stream_base_commons:94:16)The "unsafe legacy renegotiation disabled" error means that you are running as a client attempting to connect to a server that has not been patched against CVE-2009-3555. Connection attempts to servers that do not support secure renegotiation (the mitigation against that CVE) are now aborted by default in OpenSSL 3.0.
In this scenario search-server app needs to access other system components like CAPI/UAA through load balancer (Netscaler) and TLS termination happens at load balancer. Since the load balancer also enables TLS 1.0/1.1, search-server rejects the insecure negotiation.
Environment
Product Version: 2.10
Resolution
When load balance is changed to support TLS1.2 only, the issue is resolved.
Reference
https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_options.html
Reference
https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_options.html
Feedback
Yes
No
Powered by
