Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

By default, GO breaks the TLS with 16k RSA keys compatibility #13817

Closed
Astaoth opened this issue Aug 22, 2023 · 1 comment
Closed

By default, GO breaks the TLS with 16k RSA keys compatibility #13817

Astaoth opened this issue Aug 22, 2023 · 1 comment
Labels
bug unexpected problem or unintended behavior

Comments

@Astaoth
Copy link

Astaoth commented Aug 22, 2023

Relevant telegraf.conf

This is a Telegraf compilation issue.

Logs from Telegraf

août 22 16:16:37 localhost telegraf[19554]: 2023-08-22T14:16:37Z I! Loading config: https://supervision.domain.tld:8086/api/v2/telegrafs/c663f5b1000
août 22 16:16:38 localhost telegraf[19554]: 2023-08-22T14:16:38Z E! error loading config file https://supervision.domain.tld:8086/api/v2/telegrafs/c663f5b1000: retry 0 of 3 failed connecting to HTTP config server: Get "https://supervision.domain.tld:8086/api/v2/telegrafs/c663f5b1000": tls: server sent certificate containing RSA key larger than 8192 bits

System info

Telegraf 1.27.4-1 armhf / Raspbian 11.7

Docker

No response

Steps to reproduce

  1. Setup a InfluxDB 2 server
  2. Setup a telegraf client
  3. Configure the InfluxDB server to use TLS, with a TLS cert which has a 16k RSA key
  4. Configure the Telegraf client for using a configuration file hosted on the InfluxDB server, with the right token
  5. Try to launch Telegraf

Expected behavior

When starting the Telegraf service, it should be able to get its configuration file and to start to report metrics, like it's the case with the 1.27.1 version.

Actual behavior

Due to some default changes made in GO this month, the Telegraf service will not be able to get its config file if the RSA key is higher than 8192 bits.

Additional info

This change with GO is described here : golang/go#61460
There is a possibility to restablish this behaviour with a GODEBUG flag as described here : https://tip.golang.org/doc/godebug
However, it seems that this flag should be set during the build time, and is ignored at the execution time. Would it be possible to build Telegraf with the flag GODEBUG=tlsmaxrsasize=16384 ?
@Astaoth Astaoth added the bug unexpected problem or unintended behavior label Aug 22, 2023
@powersj
Copy link
Contributor

powersj commented Aug 22, 2023

Hi,

It is rather unfortunate when behavior like this changes, but the change does appear to be due to denial of service attacks in either direction.

After talking to the security team, telegraf will continue to build with the upstream defaults. We did consider adding a config option that would allow you to set the max key value. Adding this to the agent is something we could do. The next step then would be to check for the size error at every HTTP request. This in practice adds an maintenance burden on any HTTP request to always check for this error and we do not want to take on at this time.

We are not going to not make any changes at this time. You are however always welcome to build telegraf yourself with that option.

@powersj powersj closed this as not planned Won't fix, can't repro, duplicate, stale Aug 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug unexpected problem or unintended behavior
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Astaoth @powersj