Mailing List Archive: Ending an OpenSSL session takes too long

Ending an OpenSSL session takes too long

Feb 22, 2021, 11:52 PM

Post #1 of 3 (328 views)

Hi all,

When using OpenSSL TLS, I’m getting an issue similar to
https://github.com/rsyslog/rsyslog/issues/3133.

After some debugging, it turns out that osslEndSess in nsd_ossl.c takes too
long, which exceeds the systemd timeout limit.
The function uses SSL_shutdown together with SSL_read to do a bidirectional
shutdown as described in:
https://www.openssl.org/docs/man1.1.1/man3/SSL_shutdown.html

We don’t want to increase systemd timeout setting and think a
unidirectional shutdown should be good enough for our system. So I patched
nsd_ossl.c to use unidirectional shutdown which resolves the timeout issue.

@@ -1010,7 +1010,9 @@ osslEndSess(nsd_ossl_t *pThis)
if(pThis->bHaveSess) {
DBGPRINTF("osslEndSess: closing SSL Session ...\n");
ret = SSL_shutdown(pThis->ssl);
- if (ret <= 0) {
+ if (ret == 0) {
+ DBGPRINTF("osslEndSess: session closed with
unidirectional shutdown\n");
+ } else if (ret < 0) {
err = SSL_get_error(pThis->ssl, ret);
DBGPRINTF("osslEndSess: shutdown failed with
err = %d\n", err);

Is there any potential issue that might get created by this change?

Thanks,
Wenyi
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Re: Ending an OpenSSL session takes too long [ In reply to ]

rsyslog at lists

Mar 10, 2021, 2:06 PM

Post #2 of 3 (321 views)

Permalink

Hi,

Any comments or suggestions?

Thanks,
Wenyi

On Mon, Feb 22, 2021 at 11:52 PM Wenyi Cheng <wyc9004@gmail.com> wrote:

> Hi all,
>
> When using OpenSSL TLS, I’m getting an issue similar to
> https://github.com/rsyslog/rsyslog/issues/3133.
>
> After some debugging, it turns out that osslEndSess in nsd_ossl.c takes
> too long, which exceeds the systemd timeout limit.
> The function uses SSL_shutdown together with SSL_read to do a
> bidirectional shutdown as described in:
> https://www.openssl.org/docs/man1.1.1/man3/SSL_shutdown.html
>
> We don’t want to increase systemd timeout setting and think a
> unidirectional shutdown should be good enough for our system. So I patched
> nsd_ossl.c to use unidirectional shutdown which resolves the timeout issue.
>
> @@ -1010,7 +1010,9 @@ osslEndSess(nsd_ossl_t *pThis)
> if(pThis->bHaveSess) {
> DBGPRINTF("osslEndSess: closing SSL Session ...\n");
> ret = SSL_shutdown(pThis->ssl);
> - if (ret <= 0) {
> + if (ret == 0) {
> + DBGPRINTF("osslEndSess: session closed with unidirectional shutdown\n");
> + } else if (ret < 0) {
> err = SSL_get_error(pThis->ssl, ret);
> DBGPRINTF("osslEndSess: shutdown failed with err = %d\n", err);
>
> Is there any potential issue that might get created by this change?
>
> Thanks,
> Wenyi
>

--
Wenyi Cheng

Phone: (310) 871-5826
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Re: Ending an OpenSSL session takes too long [ In reply to ]

rsyslog at lists

Mar 10, 2021, 9:53 PM

Post #3 of 3 (321 views)

Permalink

Hi Wenyi,

The only issue I think would be an unclean TLS Session shutdown on the other
side.
But I think this is acceptable.

Best regards,
Andre Lorbach
--
Adiscon GmbH
Mozartstr. 21
97950 Großrinderfeld, Germany
Ph. +49-9349-9298530
Geschäftsführer/President: Rainer Gerhards Reg.-Gericht Mannheim, HRB
560610
Ust.-IDNr.: DE 81 22 04 622
Web: www.adiscon.com - Mail: info@adiscon.com

Informations regarding your data privacy policy can be found here:
https://www.adiscon.com/data-privacy-policy/

This e-mail may contain confidential and/or privileged information. If you
are not the intended recipient or have received this e-mail in error please
notify the sender immediately and delete this e-mail. Any unauthorized
copying, disclosure or distribution of the material in this e-mail is
strictly forbidden.

Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail
irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und
vernichten Sie diese E-Mail. Das unerlaubte Kopieren und die unbefugte
Weitergabe dieser E-Mail sind nicht gestattet.

> -----Ursprüngliche Nachricht-----
> Von: rsyslog <rsyslog-bounces@lists.adiscon.com> Im Auftrag von Wenyi
> Cheng via rsyslog
> Gesendet: Dienstag, 23. Februar 2021 08:53
> An: rsyslog@lists.adiscon.com
> Cc: Wenyi Cheng <wyc9004@gmail.com>
> Betreff: [rsyslog] Ending an OpenSSL session takes too long
>
> Hi all,
>
> When using OpenSSL TLS, I’m getting an issue similar to
> https://github.com/rsyslog/rsyslog/issues/3133.
>
> After some debugging, it turns out that osslEndSess in nsd_ossl.c takes
> too
> long, which exceeds the systemd timeout limit.
> The function uses SSL_shutdown together with SSL_read to do a
> bidirectional
> shutdown as described in:
> https://www.openssl.org/docs/man1.1.1/man3/SSL_shutdown.html
>
> We don’t want to increase systemd timeout setting and think a
> unidirectional
> shutdown should be good enough for our system. So I patched nsd_ossl.c to
> use unidirectional shutdown which resolves the timeout issue.
>
> @@ -1010,7 +1010,9 @@ osslEndSess(nsd_ossl_t *pThis)
> if(pThis->bHaveSess) {
> DBGPRINTF("osslEndSess: closing SSL Session ...\n");
> ret = SSL_shutdown(pThis->ssl);
> - if (ret <= 0) {
> + if (ret == 0) {
> + DBGPRINTF("osslEndSess: session closed with
> unidirectional shutdown\n");
> + } else if (ret < 0) {
> err = SSL_get_error(pThis->ssl, ret);
> DBGPRINTF("osslEndSess: shutdown failed with err =
> %d\n",
> err);
>
> Is there any potential issue that might get created by this change?
>
> Thanks,
> Wenyi
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL:
> This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites
> beyond
> our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.