Can not connect to API server enforcing TLS 1.3

[ManuelWe]

Describe the bug

In my kube-apiserver I enforce TLS 1.3 with the --tls-min-version=VersionTLS13 flag.
Connecting via curl works fine but the kubernetes client throws a protocol_version exception during SSL handshake.

At first I did not have any custom kubernetes client config. I also tried specifying TLS 1.3 explicitly which produces the same outcome (logs below):

Config config = new ConfigBuilder().withTlsVersions(new TlsVersion[]{TlsVersion.TLS_1_3, TlsVersion.TLS_1_2}).build();
KubernetesClient client = new KubernetesClientBuilder().withConfig(config).build();

When only setting TlsVersion.TLS_1_3 in the client I get a different error:

2023-05-12T14:48:15,746+00 DEBUG io.fabric8.kubernetes.client.http.StandardHttpClient [OkHttp https://172.17.0.1/...] HTTP operation on url: https://172.17.0.1:443/api/v1/namespaces/opsb/pods should be retried after 400 millis because of IOException java.net.UnknownServiceException: Unable to find acceptable protocols. isFallback=false, modes=[ConnectionSpec(cipherSuites=[TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_CCM_SHA256, TLS_AES_256_CCM_8_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA], tlsVersions=[TLS_1_3], supportsTlsExtensions=true), ConnectionSpec()], supported protocols=[TLSv1.2]

I tried out all kinds of different things to get this working but nothing helped. I also made sure that it is not an issue with our application (Java 17) but another client can connect to servers with TLS 1.3 without any issue.

Fabric8 Kubernetes Client version

other (please specify in additional context)

Steps to reproduce

1. Setup the kubernetes API server with tls-min-version 1.3
2. Try to connect to it with the kubernetes client

Expected behavior

The client should be able to connect to a server with TLS 1.3 without any changes/issues since TLS 1.3 is part of okhttp3 MODERN_TLS.

Runtime

Kubernetes (vanilla)

Kubernetes API Server version

other (please specify in additional context)

Environment

Linux

Fabric8 Kubernetes Client Logs

javax.net.ssl|DEBUG|41|OkHttp https://172.17.0.1/...|2023-05-12 14:36:43.940 UTC|ClientHello.java:641|Produced ClientHello handshake message (
"ClientHello": {
  "client version"      : "TLSv1.2",
  "random"              : "5BF035D084CE70563EE596FC35E77372500A6F19223BECFF7617CB1E530B0CC1",
  "session id"          : "",
  "cipher suites"       : "[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D)]",
  "compression methods" : "00",
  "extensions"          : [
    "status_request (5)": {
      "certificate status type": ocsp
      "OCSP status request": {
        "responder_id": <empty>
        "request extensions": {
          <empty>
        }
      }
    },
    "supported_groups (10)": {
      "versions": [secp256r1, secp384r1, secp521r1]
    },
    "ec_point_formats (11)": {
      "formats": [uncompressed]
    },
    "application_layer_protocol_negotiation (16)": {
      [h2, http/1.1]
    },
    "status_request_v2 (17)": {
      "cert status request": {
        "certificate status type": ocsp_multi
        "OCSP status request": {
          "responder_id": <empty>
          "request extensions": {
            <empty>
          }
        }
      }
    },
    "extended_master_secret (23)": {
      <empty>
    },
    "session_ticket (35)": {
      <empty>
    },
    "signature_algorithms (13)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, ed25519, ed448, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224]
    },
    "supported_versions (43)": {
      "versions": [TLSv1.2]
    },
    "signature_algorithms_cert (50)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, ed25519, ed448, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224]
    },
    "renegotiation_info (65,281)": {
      "renegotiated connection": [<no renegotiated connection>]
    }
  ]
}
)
javax.net.ssl|DEBUG|41|OkHttp https://172.17.0.1/...|2023-05-12 14:36:43.942 UTC|Alert.java:238|Received alert message (
"Alert": {
  "level"      : "fatal",
  "description": "protocol_version"
}
)
javax.net.ssl|ERROR|41|OkHttp https://172.17.0.1/...|2023-05-12 14:36:43.943 UTC|TransportContext.java:370|Fatal (PROTOCOL_VERSION): Received fatal alert: protocol_version (
"throwable" : {
  javax.net.ssl.SSLHandshakeException: Received fatal alert: protocol_version
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:365)
        at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293)
        at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:204)
        at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
        at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1510)
        at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1425)
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
        at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:320)
        at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:284)
        at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:169)
        at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:258)
        at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:135)
        at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:114)
        at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
        at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
        at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
        at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:127)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
        at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:257)
        at okhttp3.RealCall$AsyncCall.execute(RealCall.java:201)
        at okhttp3.internal.NamedRunnable.run(NamedRunnable.java:32)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        at java.base/java.lang.Thread.run(Thread.java:833)}

)

Additional context

Kubernetes Client version 6.6.0 (also tried with 5.12.3)
Kubernetes API Server version: 1.26.1

[shawkins]

SSLUtils.sslContext is specifying 1.2, which unfortunately limits the protocol support to that level. This will need a code fix.

[manusa]

kubernetes-client/kubernetes-client-api/src/main/java/io/fabric8/kubernetes/client/internal/SSLUtils.java

Lines 85 to 93 in b095b78

	public static SSLContext sslContext(KeyManager[] keyManagers, TrustManager[] trustManagers) {
	try {
	SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
	sslContext.init(keyManagers, trustManagers, new SecureRandom());
	return sslContext;
	} catch (KeyManagementException | NoSuchAlgorithmException e) {
	throw KubernetesClientException.launderThrowable(e);
	}
	}