Hi,
I have been investigating for a week now on why i am observing this behaviour, but unfortunately I could not sort it out on my own
Basically, i am trying use the following curl command from inside one of my container running in a Rancher Cattle environment.
curl -v -u <user>:<password> https://api.github.com/user
the SSL negotiation is stuck always at the same point:
* Hostname was NOT found in DNS cache
* Trying 192.30.253.117...
* Connected to api.github.com (192.30.253.117) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
* subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=*.github.com
* start date: 2017-01-18 00:00:00 GMT
* expire date: 2020-04-17 12:00:00 GMT
* subjectAltName: api.github.com matched
* issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High Assurance Server CA
* SSL certificate verify ok.
* Server auth using Basic with user '<user>'
> GET /user HTTP/1.1
> Authorization: <key>
> User-Agent: curl/7.38.0
> Host: api.github.com
> Accept: */*
>
However, if i launch the same command from the containers that are not managed by the IPSEC network, then it works perfectly. I tried it with the following containers with success:
- rancher-agent
- ipsec-cni-driver
- ipsec-ipsec
while if i try from the following containers, it fails:
- healthcheck
- scheduler
or any user container deployed on the managed network
I’d like to understand a bit more why this is happening, is it related to the ipsec default routing configuration, is it related to the MTU configuration ? etc…
Finally, I think it is important to mention that curl works perfectly on all the containers if the target server does not require an authentication.