I have a API on cloud run developed using .NET 6. The API is working great, most routes are working as expected.
On my API I have some routes that needs to check on a external service making REST requests (mostly POST calls).
The problem is: when I take my API to cloud run, those routes don't work as expected. I receive an SSL ERROR during the request.
On my computer, coworkers computers (different ISP) and on a GCP VM the API work as expected.
The problem only occurs on cloud run.
{
"success": false,
"metaData": null,
"dataHora": "2022-04-25T17:09:16.683683 00:00",
"errorMetaData": {
"stackTrace": null,
"errorMessage": "Call failed. The SSL connection could not be established, see inner exception: POST https://************************/b1s/v1/Login",
"innerError": {
"stackTrace": null,
"errorMessage": "The SSL connection could not be established, see inner exception.",
"innerError": {
"stackTrace": null,
"errorMessage": "Authentication failed, see inner exception.",
"innerError": {
"stackTrace": null,
"errorMessage": "SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL.",
"innerError": {
"stackTrace": null,
"errorMessage": "error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol",
"innerError": null
}
}
}
}
}
}
EDIT:
Dockerfile:
#See https://aka.ms/containerfastmode to understand how Visual Studio uses this Dockerfile to build your images for faster debugging.
FROM mcr.microsoft.com/dotnet/aspnet:6.0 AS base
WORKDIR /app
EXPOSE 80
EXPOSE 443
FROM mcr.microsoft.com/dotnet/sdk:6.0 AS build
WORKDIR /src
COPY ["API/API.csproj", "API/"]
RUN dotnet restore "API/API.csproj"
COPY . .
WORKDIR "/src/API"
RUN dotnet build "API.csproj" -c Release -o /app/build
FROM build AS publish
RUN dotnet publish "API.csproj" -c Release -o /app/publish
FROM base AS final
WORKDIR /app
COPY --from=publish /app/publish .
ENTRYPOINT ["dotnet", "API.dll"]
I think too is a problem in TLS compatibility because the API I'm trying to reach has a old TLS version.
Tried on my local machine using docker and received the same error - so it's not a cloud run issue, but some kinda of configuration in docker maybe?
CodePudding user response:
I fixed the problem by changing the minimum version of TLS to 1.0 with the following code, before the ENTRYPOINT.
RUN sed -i 's/MinProtocol = TLSv1.2/MinProtocol = TLSv1/' /etc/ssl/openssl.cnf \
&& sed -i 's/CipherString = DEFAULT@SECLEVEL=2/CipherString = DEFAULT@SECLEVEL=1/' /etc/ssl/openssl.cnf