Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error: attempt to index local 'ssl' (a nil value) for Kong >= 3.6.0 when KONG_PG_SSL=on #13083

Closed
1 task done
salyh opened this issue May 26, 2024 · 6 comments
Closed
1 task done

Error: attempt to index local 'ssl' (a nil value) for Kong >= 3.6.0 when KONG_PG_SSL=on #13083

salyh opened this issue May 26, 2024 · 6 comments
Labels
pending author feedback Waiting for the issue author to get back to a maintainer with findings, more details, etc...

Comments

@salyh
Copy link

salyh commented May 26, 2024

Is there an existing issue for this?

  • I have searched the existing issues

Kong version ($ kong version)

Kong 3.6.1

Current Behavior

I have a postgres 15 running as saas and i want connect kong to it.
I need to set KONG_PG_SSL=on (if i dont i get "failed to retrieve PostgreSQL server_version_num: FATAL: pg_hba.conf rejects connection for host "xxx.xxx.xxx.xx")

With Kong >= 3.6.0 i receive an error "attempt to index local 'ssl' (a nil value)". Kong 3.5 works as expected.

docker run  --rm  \
  -e "KONG_PG_DATABASE=kongdb" \
  -e "KONG_PG_HOST=postgres15.saas.domain.com" \
  -e "KONG_PG_PORT=5432" \
  -e "KONG_PG_PASSWORD=secret" \
  -e "KONG_PASSWORD=123456" \
  -e "KONG_PG_SSL=on" \
  kong:3.6.1 kong migrations bootstrap

results in

2024/05/26 02:01:15 [warn] 1297#0: *2 [lua] nginx.lua:300: get_ngx_ssl_from_socket_ctx(): note resty.openssl.auxiliary.nginx is using plain FFI and it's only intended to be used in development, consider using lua-resty-openssl.aux-module in production., context: ngx.timer
**Error: attempt to index local 'ssl' (a nil value)**

whereas

docker run  --rm  \
  -e "KONG_PG_DATABASE=kongdb" \
  -e "KONG_PG_HOST=postgres15.saas.domain.com" \
  -e "KONG_PG_PORT=5432" \
  -e "KONG_PG_PASSWORD=secret" \
  -e "KONG_PASSWORD=123456" \
  -e "KONG_PG_SSL=on" \
  kong:3.5 kong migrations bootstrap

works well.

Expected Behavior

No error message and db gets bootstrapped for Kong >= 3.6.0

Steps To Reproduce

docker run --rm
-e "KONG_PG_DATABASE=kongdb"
-e "KONG_PG_HOST=postgres15.saas.domain.com"
-e "KONG_PG_PORT=5432"
-e "KONG_PG_PASSWORD=secret"
-e "KONG_PASSWORD=123456"
-e "KONG_PG_SSL=on"
kong:3.6.1 kong migrations bootstrap

Anything else?

No response
@ADD-SP
Copy link
Contributor

ADD-SP commented May 27, 2024
edited
Loading

https://docs.konghq.com/gateway/changelog/#3600

In OpenSSL 3.2, the default SSL/TLS security level has been changed from 1 to 2. This means the security level is set to 112 bits of security. As a result, the following are prohibited:
RSA, DSA, and DH keys shorter than 2048 bits
ECC keys shorter than 224 bits
Any cipher suite using RC4
SSL version 3 Additionally, compression is disabled.

Bumped OpenSSL from 3.1.4 to 3.2.1 #12264

@salyh Thanks for your report. Could you please check the TLS settings of your Postgres database? This issue might be caused by the behavior changes of OpenSSL.

@ADD-SP ADD-SP added the pending author feedback Waiting for the issue author to get back to a maintainer with findings, more details, etc... label May 27, 2024
@weberpatr
Copy link

seems to be the same issue as #12702

@ADD-SP
Copy link
Contributor

ADD-SP commented May 27, 2024

Thanks to @weberpatr. @fffonion Any update on this issue?

@ADD-SP ADD-SP removed the pending author feedback Waiting for the issue author to get back to a maintainer with findings, more details, etc... label May 27, 2024
@jeremyjpj0916
Copy link
Contributor

Seems 3.7.x is imminent to fix the postgres TLS issues, see here for a possible workaround too:
#12702 (comment)

@Water-Melon
Copy link
Contributor

It's fixed in 3.7, please refer to #12592.

@ADD-SP ADD-SP added the pending author feedback Waiting for the issue author to get back to a maintainer with findings, more details, etc... label May 30, 2024
@weberpatr
Copy link

can confirm the issue is solved after updating to 3.7
thanks a lot!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
pending author feedback Waiting for the issue author to get back to a maintainer with findings, more details, etc...
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@chronolaw @salyh @Water-Melon @weberpatr @jeremyjpj0916 @ADD-SP