No available signature authentication scheme while deploying to Kubernetes

[hanstrompert]

While deploying the container version of nsi-dds to Kubernetes the TLS handshake fails because no mutual signature authentication scheme can be found. The result is the same for a TLSv1.2 and TLSv1.3 handshake. A simple Java program ran in the same container with the same key- and truststore trying to connect to the same URL does succeed. This more or less rules out problems with the Java environment inside the container or problems with the used key- and truststore.

Example client certificate request from the server:

Consuming CertificateRequest handshake message (
"CertificateRequest": {
  "certificate_request_context": "",
  "extensions": [
    "signature_algorithms (13)": {
      "signature schemes": [ecdsa_secp256r1_sha256, rsa_pss_rsae_sha256, rsa_pkcs1_sha256, ecdsa_secp384r1_sha384, rsa_pss_rsae_sha384, rsa_pkcs1_sha384, rsa_pss_rsae_sha512, rsa_pkcs1_sha512, rsa_pkcs1_s
ha1]
    },
    "certificate_authorities (47)": {
      "certificate authorities": [
        CN=dds.nsi.nrp-nautilus.io
        CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
        CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB
        CN=GEANT Personal CA 4, O=GEANT Vereniging, C=NL
        CN=R3, O=Let's Encrypt, C=US
        CN=ISRG Root X1, O=Internet Security Research Group, C=US
        CN=safnari.nsi.nrp-nautilus.io
        CN=onsaclient.automation.surf.net, OU=network services, O=SURF, C=NL
        CN=GEANT OV RSA CA 4, O=GEANT Vereniging, C=NL]
    }
  ]
}
)

And the part where nsi-dds cannot find a signature scheme resulting in an empty list of usable client certificates:

javax.net.ssl|ALL|10|NSI-DISCOVERY-akka.actor.default-dispatcher-2|2021-10-21 14:49:46.555 UTC|X509Authentication.java:246|No X.509 cert selected for EC
javax.net.ssl|WARNING|10|NSI-DISCOVERY-akka.actor.default-dispatcher-2|2021-10-21 14:49:46.555 UTC|CertificateMessage.java:1084|Unavailable authentication scheme: ecdsa_secp256r1_sha256
javax.net.ssl|ALL|10|NSI-DISCOVERY-akka.actor.default-dispatcher-2|2021-10-21 14:49:46.555 UTC|X509Authentication.java:246|No X.509 cert selected for RSA
javax.net.ssl|WARNING|10|NSI-DISCOVERY-akka.actor.default-dispatcher-2|2021-10-21 14:49:46.555 UTC|CertificateMessage.java:1084|Unavailable authentication scheme: rsa_pss_rsae_sha256
javax.net.ssl|ALL|10|NSI-DISCOVERY-akka.actor.default-dispatcher-2|2021-10-21 14:49:46.555 UTC|X509Authentication.java:246|No X.509 cert selected for RSA
javax.net.ssl|WARNING|10|NSI-DISCOVERY-akka.actor.default-dispatcher-2|2021-10-21 14:49:46.555 UTC|CertificateMessage.java:1084|Unavailable authentication scheme: rsa_pkcs1_sha256
javax.net.ssl|ALL|10|NSI-DISCOVERY-akka.actor.default-dispatcher-2|2021-10-21 14:49:46.555 UTC|X509Authentication.java:246|No X.509 cert selected for EC
javax.net.ssl|WARNING|10|NSI-DISCOVERY-akka.actor.default-dispatcher-2|2021-10-21 14:49:46.555 UTC|CertificateMessage.java:1084|Unavailable authentication scheme: ecdsa_secp384r1_sha384
javax.net.ssl|ALL|10|NSI-DISCOVERY-akka.actor.default-dispatcher-2|2021-10-21 14:49:46.556 UTC|X509Authentication.java:246|No X.509 cert selected for RSA
javax.net.ssl|WARNING|10|NSI-DISCOVERY-akka.actor.default-dispatcher-2|2021-10-21 14:49:46.556 UTC|CertificateMessage.java:1084|Unavailable authentication scheme: rsa_pss_rsae_sha384
javax.net.ssl|ALL|10|NSI-DISCOVERY-akka.actor.default-dispatcher-2|2021-10-21 14:49:46.556 UTC|X509Authentication.java:246|No X.509 cert selected for RSA
javax.net.ssl|WARNING|10|NSI-DISCOVERY-akka.actor.default-dispatcher-2|2021-10-21 14:49:46.556 UTC|CertificateMessage.java:1084|Unavailable authentication scheme: rsa_pkcs1_sha384
javax.net.ssl|ALL|10|NSI-DISCOVERY-akka.actor.default-dispatcher-2|2021-10-21 14:49:46.556 UTC|X509Authentication.java:246|No X.509 cert selected for RSA
javax.net.ssl|WARNING|10|NSI-DISCOVERY-akka.actor.default-dispatcher-2|2021-10-21 14:49:46.556 UTC|CertificateMessage.java:1084|Unavailable authentication scheme: rsa_pss_rsae_sha512
javax.net.ssl|ALL|10|NSI-DISCOVERY-akka.actor.default-dispatcher-2|2021-10-21 14:49:46.556 UTC|X509Authentication.java:246|No X.509 cert selected for RSA
javax.net.ssl|WARNING|10|NSI-DISCOVERY-akka.actor.default-dispatcher-2|2021-10-21 14:49:46.556 UTC|CertificateMessage.java:1084|Unavailable authentication scheme: rsa_pkcs1_sha512
javax.net.ssl|ALL|10|NSI-DISCOVERY-akka.actor.default-dispatcher-2|2021-10-21 14:49:46.556 UTC|X509Authentication.java:246|No X.509 cert selected for RSA
javax.net.ssl|WARNING|10|NSI-DISCOVERY-akka.actor.default-dispatcher-2|2021-10-21 14:49:46.556 UTC|CertificateMessage.java:1084|Unavailable authentication scheme: rsa_pkcs1_sha1
javax.net.ssl|WARNING|10|NSI-DISCOVERY-akka.actor.default-dispatcher-2|2021-10-21 14:49:46.556 UTC|CertificateMessage.java:1094|No available authentication scheme
javax.net.ssl|DEBUG|10|NSI-DISCOVERY-akka.actor.default-dispatcher-2|2021-10-21 14:49:46.557 UTC|CertificateMessage.java:1106|No available client authentication scheme
javax.net.ssl|DEBUG|10|NSI-DISCOVERY-akka.actor.default-dispatcher-2|2021-10-21 14:49:46.557 UTC|CertificateMessage.java:1140|Produced client Certificate message (
"Certificate": {
  "certificate_request_context": "",
  "certificate_list": [
]
}
)

Full debug log for this connection attempt: log.txt

[jmacauley]

This issue was fixed with update eecef0e4110b606da5fff94166a1a7b003e44cae. Fix verified by Hans.