help request: ApisixTls configuration for SSL enabled Upstream

[singhajitk]

Description

Getting tlsv1 alert internal error when using ApisixTls by following the link https://apisix.apache.org/docs/ingress-controller/concepts/apisix_tls/

Error:

* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, internal error (592):
* error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
* Closing connection 0
curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

Environment

Hi @shreemaan-abhishek, I am getting ssl error while making curl call to ssl enable upstream. I have configured ApisixTls for the upstream SNI.

For the below ApisixTls configuration, We have followed the documentation https://github.com/apache/apisix-ingress-controller/blob/master/docs/en/latest/tutorials/manage-certificates-with-cert-manager.md but still getting ssl error

apiVersion: apisix.apache.org/v2
kind: ApisixTls
metadata:
  name: my-tls
spec:
  hosts:
  - <host url>
  secret:
    name: app-secret
    namespace: default
  client:
    caSecret:
      name: app-ca-secret
      namespace: default
    depth: 10

Error:

* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, internal error (592):
* error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
* Closing connection 0
curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

The curl command curl -ik https://<app host url>/api/health --cert app.crt --key app.key works fine.
So, my question is "Can we enable ssl for APISIX but bypass the mutual ssl validation ?" I tried adding filed skip_mtls_uri_regex in ApisixTls resource but it is throwing error: data: ValidationError(ApisixTls.spec.client): unknown field "skip_mtls_uri_regex" in org.apache.apisix.v2.ApisixTls.spec.client

APISIX deployment info:

APISIX version : - 3.8.0
Operating system : Linux apisix-647b4867df-79542 5.4.0-136-generic test: only check part of schema. #153~18.04.1-Ubuntu SMP Wed Nov 30 15:47:57 UTC 2022 x86_64 GNU/Linux
OpenResty / Nginx version (run openresty -V or nginx -V):
nginx version: openresty/1.21.4.2
built by gcc 10.2.1 20210110 (Debian 10.2.1-6)
built with OpenSSL 3.2.0 23 Nov 2023
TLS SNI support enabled

APISIX Dashboard version, if relevant: 3.0.0

[hanqingwu]

Can you try this ?
https://apisix.apache.org/docs/apisix/tutorials/client-to-apisix-mtls/#mtls-bypass-based-on-regular-expression-matching-against-uri

[singhajitk]

Can you try this ? https://apisix.apache.org/docs/apisix/tutorials/client-to-apisix-mtls/#mtls-bypass-based-on-regular-expression-matching-against-uri

Thank you @hanqingwu, I used admin api to create apisixtls resource and it worked with field "skip_mtls_uri_regex".