Docker behing transparent proxy and intermediate cert

franrebo · May 14, 2019, 4:00pm

OS: Centos 7.6.1810
Docker Version: Server Version: 18.09.5

Issue:
My company use a transparent proxy with a intermediate cert to navigate. I was able to install the cert following doc: https://docs.docker.com/ee/dtr/user/access-dtr/ and this steps:

# Download the DTR CA certificate
sudo curl -k https://<dtr-domain-name>/ca -o /etc/pki/ca-trust/source/anchors/<dtr-domain-name>.crt
# Refresh the list of certificates to trust
sudo update-ca-trust
# Restart the Docker daemon
sudo /bin/systemctl restart docker.service

Curl and Wget are working well, but docker run is not:

bash $ docker run -it cheers
Unable to find image 'cheers:latest' locally
docker: Error response from daemon: Get https://registry-1.docker.io/v2/: remote error: tls: handshake failure.
See 'docker run --help'.

I’ve tried adding the registry as insecure in daemon.json but it was unsuccessfully.

Has anyone run into the same problem?

franrebo · May 15, 2019, 7:02pm

more info:

with curl, in the client hello handshake offers 30 cipher suites:

But with docker run, cipher suites are only 8:

nitishmowall · May 16, 2019, 3:46am

hey i don’t know much but
please read below link this might help

franrebo · May 16, 2019, 11:24am

Thanks! I think i figured out what’s going on:

Docker client offers only TLS_ECDHE_* ciphers but .docker.io (behind my corporate proxy) offers only TLS_RSA ciphers.

Without proxy, docker.io offers both types of ciphers.

Now, next challenge: make docker offer TLS_RSA or make my proxy support TLS_ECDHE.

I have no idea how to do either

nitishmowall · May 16, 2019, 2:46pm

hey
that i have no idea though
you can try reading this issue conversation