When you try to send a request from Linux container via HttpClient
, depends on target URI
, request will fail and throw an exception with SSL Handshake with OpenSSL error - SSL_ERROR_SSL
.
When encounter this problem first thought is because HttpClient
failed to validate SSL certificate. However after reading through all Inner Exception my eyes drops on this line:
routines:tls_process_ske_dhe:dh key too small
Bingo. Looks like the openssl.cnf
inside my container on K8s have more strict setting than the website's SSL certificate, gladly this is an easy fix.
Solution
Inside our Dockerfile
we have to add two lines of RUN
command in order to modify our container's openssl.cnf
settings.
## ....
RUN sed -i 's/DEFAULT@SECLEVEL=2/DEFAULT@SECLEVEL=1/g' /etc/ssl/openssl.cnf
RUN sed -i 's/DEFAULT@SECLEVEL=2/DEFAULT@SECLEVEL=1/g' /usr/lib/ssl/openssl.cnf
## ....
What these two line does is change the value of SECLEVEL
from 2 to 1 in both of the openssl.cnf
file. After append these two lines, recompile the image and everything will work as expected.