Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Go 1.23 is incompatible with AWS Network Firewalls #3421

Open
1 task
christiangjengedal opened this issue Feb 27, 2025 · 5 comments
Open
1 task

[Bug]: Go 1.23 is incompatible with AWS Network Firewalls #3421

christiangjengedal opened this issue Feb 27, 2025 · 5 comments
Assignees
@sfc-gh-jcieslak
Labels
general-usage General help/usage questions

Comments

@christiangjengedal
Copy link

christiangjengedal commented Feb 27, 2025
edited
Loading

Terraform CLI Version

1.7.3

Terraform Provider Version

1.0.4

Company Name

No response

Terraform Configuration

terraform {
  required_providers {
    snowflake = {
      source = "Snowflake-Labs/snowflake"
      version = "1.0.4"
    }
  }
}

Category

category:other

Object type(s)

No response

Expected Behavior

The provider should be able to communicate with Snowflake APIs through firewalls using HTTPS.

Actual Behavior

The upgrade to Go 1.23 makes the provider incompatible with Suricata-based firewalls, like AWS Network Firewalls. So if terraform talks to Snowflake through a Suricata firewall (or other without Kyber768 support), the communication is dropped.

The issue is described in detail in hashicorp/terraform-provider-aws#39311 My report is just a copy and replace:

Go 1.23.0, introduced a minor change to the crypto/tls standard library package:

The experimental post-quantum key exchange mechanism X25519Kyber768Draft00 is now enabled by default when Config.CurvePreferences is nil. The default can be reverted by adding tlskyber=0 to the GODEBUG environment variable.

This additional key exchange mechanism causes the length of the TLS ClientHello message to increase. The increased message length leads to AWS Network Firewall dropping the message.

AWS Network Firewall drops the message (causing the TLS handshake to timeout) because its stateful rule capability currently uses Suricata version 6.0.9, and this version of Suricata is known to drop TLS packets beyond a certain length.

Update: AWS Network Firewall now supports Suricata version 7.0. Network Firewall upgraded from Suricata version 6.0.9 to 7.0 in November of 2024., but the issue is still unsolved on Suricata version 7.0.4

Steps to Reproduce

Run terraform with snowflake provider version 1.0.4 behind firewall without kybertls support

How much impact is this issue causing?

Medium

Logs

No response

Additional Information

No response

Would you like to implement a fix?

  • Yeah, I'll take it 😎
@christiangjengedal christiangjengedal added the bug Used to mark issues with provider's incorrect behavior label Feb 27, 2025
@sfc-gh-jcieslak
Copy link
Collaborator

sfc-gh-jcieslak commented Feb 28, 2025
edited
Loading

Hey @christiangjengedal 👋
I'm sorry to hear that, but unfortunately, we cannot downgrade the Go version of our provider. Please use the 1.0.3 version, which still uses older versions, and upgrade once the newer versions of AWS Network Firewall can support newer Go versions.

Update: Did you try to set the GODEBUG environment variable with tlskyber=0 yourself? Afaik this should work. For more information on GODEBUG, read: https://go.dev/doc/godebug.

@sfc-gh-jcieslak sfc-gh-jcieslak self-assigned this Feb 28, 2025
@sfc-gh-jcieslak sfc-gh-jcieslak added general-usage General help/usage questions and removed bug Used to mark issues with provider's incorrect behavior labels Feb 28, 2025
@sfc-gh-jcieslak
Copy link
Collaborator

If you missed that, I updated the previous message above.

@christiangjengedal
Copy link
Author

Yes, the GODEBUG environment variable works, I just wanted to document and share the limitation with you. It took quite a bit of time to understand what was failing.

@sfc-gh-jcieslak
Copy link
Collaborator

Got it. Thanks for sharing. We'll document this in a few places and link this issue as an example. Other than that, it seems we can close the issue, right?

@christiangjengedal
Copy link
Author

IMHO, terraform-provider-aws is a good reference provider. I like how they solved this TLS draft issue

@sfc-gh-jcieslak sfc-gh-jcieslak mentioned this issue Mar 3, 2025
Merged
sfc-gh-jcieslak added a commit that referenced this issue Mar 4, 2025
@sfc-gh-jcieslak
chore: Document godebug flag usage (#3429)
2dce172 
Document issue #3421 and how the godebug environment variable can be
used to turn off some of the Go features that may not always be
compatible with third-party software (like firewalls).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sfc-gh-jcieslak sfc-gh-jcieslak

Labels
general-usage General help/usage questions
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@christiangjengedal @sfc-gh-jcieslak