Upgrade TLS version used to connect to registry & blob backend

[tianouya-db]

What is the version of your Overlaybd

0.6.17

What would you like to be added?

Upgrade the TLS version to 1.2+.

We found that overlaybd is using TLS v1 to talk to registry & blob backend. We've seen transient failures with S3 that failed on TLS handshake timeout. Can we configure overlaybd to use TLS v1.2+?

Why is this needed for Overlaybd?

Support TLS version 1.2+ in overlaybd.

Are you willing to submit PRs to contribute to this feature?

• Yes, I am willing to implement it.

[Coldwings]

Overlaybd using curl wrapper in LibPhotonOS for registryfs and SSL wrapper for registryfs_v2, both of two implementation are already have TLSv1.2 supported.

In registryfs (which is default registry connect implementation in overlaybd 0.6.17 and all versions that < 1.0.2), the default LTS version is decided by libcurl that linked.

In registryfs_v2 (default in overlaybd >= 1.0.2), https access using TLS v1.2

The reason why S3 reported TLS handshake timeout may not because of protocol version, could you provided more details of that condition?

[tianouya-db]

@Coldwings thanks for the response.

A brief context is we see net/http: TLS handshake timeout on requests to S3. We captured the traffic and saw the failed handshakes used TLSv1. We then inspected the traffic from our node, and found overlaybd-tcmu process seems to be sending the traffic: TLSv1 583 Client Hello.

In registryf, he default LTS version is decided by libcurl that linked.

Do we know the default version by any chance? Meanwhile, I can try upgrading to 1.0.2+, and see if it helps.