TLS fails due to multiple handshake messages
frederichenry opened this issue · 2 comments
If we try to do a wget to an internal server we always get a connection issue.
/prometheus $ wget https://www.internalsite.be
Connecting to www.internalsite.be (x.x.x.x:443)
wget: note: TLS certificate validation not implemented
wget: got bad TLS record (len:337) while expecting certificate
16 03 03 01 51 0c 00 01 49 03 00 17 41 04 cd 3a bf 8e 36 06 e0 b4 4f b6 0a 59 75 aa 1d 21 7b 11 04 b0 f9 70 80 6a 6d a0 c4 6f d2 d9 61 90 ba f5 e7 ef bc e6 64 92 48 2a 04 e1 56 b5 bb f4 3e 34 ab 4c 48 3c b4 e7 49 ab 8b 0c 76 33 61 76 02 01 01 00 8d 29 14 5b 0a 00 3a f3 77 ed 51 ff bc 3a 81 a8 42
wget: error getting response: Connection reset by peer
If we try to do a wget to another https website everything works correctly.
While debugging via wireshark we see the following
92 18.058981001 x.x.x.x x.x.x.x TLSv1.2 592 Server Hello, Certificate
94 18.071352760 x.x.x.x x.x.x.x TLSv1.2 396 Server Key Exchange, Server Hello Done
96 18.071934144 x.x.x.x x.x.x.x TCP 54 54202 → 443 [FIN, ACK] Seq=99 Ack=3321 Win=63440 Len=0
Both TLS messages are Multiple Handshake Messages.
It seems like it is only processing the Server Hello and only in the next message it checks for the Certificate. As this message only contains Server Key Exchange and Server Hello done, the certificate can't be found
It could be an oddity with Busybox's version of wget. I'd try it with the one from debian:bullseye-slim
If you use Alpine's it's going to be the same Busybox variant
$ docker run --rm alpine wget --help
BusyBox v1.34.1 (2022-04-04 10:19:27 UTC) multi-call binary.