kwctl fails to pull policy in case authentication and authorization are used on the registry and registry auth source does not support tls 1.3

[Martin-Weiss]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

Configured registry with authentication and authoritation.
Pushed the images via skopeo 1.10.0
Configured kwctl-sources4.yaml with insecure to disable ssl check
Added authentication for the registry to the docker json file kwctl-docker-config-rancher-cluster.json.

Now using kwctl pull a policy

kwctl -vvv pull --sources-path kwctl-sources4.yaml --docker-config-json-path kwctl-docker-config-rancher-cluster.json registry://registry01.suse:5000/rke-prod/ghcr.io/kubewarden/policies/user-group-psp:v0.2.0

2022-11-22T16:34:02.558002Z DEBUG reqwest::connect: starting new connection: https://registry01.suse:5000/   
2022-11-22T16:34:02.559350Z DEBUG rustls::client::hs: No cached session for DnsName(DnsName(DnsName("registry01.suse")))   
2022-11-22T16:34:02.559461Z DEBUG rustls::client::hs: Not resuming any session   
2022-11-22T16:34:02.562977Z DEBUG rustls::client::hs: Using ciphersuite TLS13_AES_128_GCM_SHA256   
2022-11-22T16:34:02.563012Z DEBUG rustls::client::tls13: Not resuming   
2022-11-22T16:34:02.563169Z DEBUG rustls::client::tls13: TLS1.3 encrypted extensions: [Protocols([6832])]   
2022-11-22T16:34:02.563187Z DEBUG rustls::client::hs: ALPN protocol is Some(b"h2")   
2022-11-22T16:34:02.563226Z  WARN rustls::conn: Sending fatal alert BadCertificate   
2022-11-22T16:34:02.563568Z DEBUG reqwest::connect: starting new connection: https://registry01.suse:5000/   
2022-11-22T16:34:02.564395Z DEBUG rustls::client::hs: No cached session for DnsName(DnsName(DnsName("registry01.suse")))   
2022-11-22T16:34:02.564444Z DEBUG rustls::client::hs: Not resuming any session   
2022-11-22T16:34:02.567045Z DEBUG rustls::client::hs: Using ciphersuite TLS13_AES_128_GCM_SHA256   
2022-11-22T16:34:02.567066Z DEBUG rustls::client::tls13: Not resuming   
2022-11-22T16:34:02.567153Z DEBUG rustls::client::tls13: TLS1.3 encrypted extensions: [Protocols([6832])]   
2022-11-22T16:34:02.567163Z DEBUG rustls::client::hs: ALPN protocol is Some(b"h2")   
2022-11-22T16:34:02.567211Z DEBUG rustls::client::tls13: Ticket saved   
2022-11-22T16:34:02.570891Z DEBUG reqwest::connect: starting new connection: https://registry01.suse:3001/   
2022-11-22T16:34:02.571733Z DEBUG rustls::client::hs: Resuming session   
2022-11-22T16:34:03.580751Z DEBUG rustls::conn: Sending warning alert CloseNotify   
2022-11-22T16:34:03.580799Z DEBUG reqwest::connect: starting new connection: http://registry01.suse:5000/   
2022-11-22T16:34:03.581794Z DEBUG reqwest::connect: starting new connection: http://registry01.suse:5000/   
Error: could not pull policy registry://registry01.suse:5000/rke-prod/ghcr.io/kubewarden/policies/user-group-psp:v0.2.0

-> can not see why this is failing

Expected Behavior

Pull via skopeo works without any problem

Steps To Reproduce

See above

Environment

- OS: SLES 15 SP4
- Architecture: x86_64

Anything else?

It seems to be related to the authentication hook only supporting tls 1.2 but the kwctl client is trying to use tls 1.3

On the authentication hook we can see this error:

2022-11-23 13:55:00 +0000: SSL error, peer: 192.168.0.49, peer cert: , #<Puma::MiniSSL::SSLError: OpenSSL error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher - 336109761>

And when testing with openssl this works:

openssl s_client -connect registry01.suse:3001 -tls1_2

this does not work:

openssl s_client -connect registry01.suse:3001 -tls1_3