SSL error during cloud run external request on REST API

I have a API on cloud run developed using .NET 6. The API is working great, most routes are working as expected.

On my API I have some routes that needs to check on a external service making REST requests (mostly POST calls).

The problem is: when I take my API to cloud run, those routes don't work as expected. I receive an SSL ERROR during the request.

On my computer, coworkers computers (different ISP) and on a GCP VM the API work as expected.

The problem only occurs on cloud run.

{
  "success": false,
  "metaData": null,
  "dataHora": "2022-04-25T17:09:16.683683 00:00",
  "errorMetaData": {
    "stackTrace": null,
    "errorMessage": "Call failed. The SSL connection could not be established, see inner exception: POST https://************************/b1s/v1/Login",
    "innerError": {
      "stackTrace": null,
      "errorMessage": "The SSL connection could not be established, see inner exception.",
      "innerError": {
        "stackTrace": null,
        "errorMessage": "Authentication failed, see inner exception.",
        "innerError": {
          "stackTrace": null,
          "errorMessage": "SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL.",
          "innerError": {
            "stackTrace": null,
            "errorMessage": "error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol",
            "innerError": null
          }
        }
      }
    }
  }
}

EDIT:

Dockerfile:

#See https://aka.ms/containerfastmode to understand how Visual Studio uses this Dockerfile to build your images for faster debugging.

FROM mcr.microsoft.com/dotnet/aspnet:6.0 AS base
WORKDIR /app
EXPOSE 80
EXPOSE 443

FROM mcr.microsoft.com/dotnet/sdk:6.0 AS build
WORKDIR /src
COPY ["API/API.csproj", "API/"]
RUN dotnet restore "API/API.csproj"
COPY . .
WORKDIR "/src/API"
RUN dotnet build "API.csproj" -c Release -o /app/build

FROM build AS publish
RUN dotnet publish "API.csproj" -c Release -o /app/publish

FROM base AS final
WORKDIR /app
COPY --from=publish /app/publish .
ENTRYPOINT ["dotnet", "API.dll"]

I think too is a problem in TLS compatibility because the API I'm trying to reach has a old TLS version.

Tried on my local machine using docker and received the same error - so it's not a cloud run issue, but some kinda of configuration in docker maybe?

CodePudding user response：

I fixed the problem by changing the minimum version of TLS to 1.0 with the following code, before the ENTRYPOINT.

RUN sed -i 's/MinProtocol = TLSv1.2/MinProtocol = TLSv1/' /etc/ssl/openssl.cnf \
&& sed -i 's/CipherString = DEFAULT@SECLEVEL=2/CipherString = DEFAULT@SECLEVEL=1/' /etc/ssl/openssl.cnf