Hi all,
When using OpenSSL TLS, I’m getting an issue similar to
https://github.com/rsyslog/rsyslog/issues/3133.
After some debugging, it turns out that osslEndSess in nsd_ossl.c takes too
long, which exceeds the systemd timeout limit.
The function uses SSL_shutdown together with SSL_read to do a bidirectional
shutdown as described in:
https://www.openssl.org/docs/man1.1.1/man3/SSL_shutdown.html
We don’t want to increase systemd timeout setting and think a
unidirectional shutdown should be good enough for our system. So I patched
nsd_ossl.c to use unidirectional shutdown which resolves the timeout issue.
@@ -1010,7 +1010,9 @@ osslEndSess(nsd_ossl_t *pThis)
if(pThis->bHaveSess) {
DBGPRINTF("osslEndSess: closing SSL Session ...\n");
ret = SSL_shutdown(pThis->ssl);
- if (ret <= 0) {
+ if (ret == 0) {
+ DBGPRINTF("osslEndSess: session closed with
unidirectional shutdown\n");
+ } else if (ret < 0) {
err = SSL_get_error(pThis->ssl, ret);
DBGPRINTF("osslEndSess: shutdown failed with
err = %d\n", err);
Is there any potential issue that might get created by this change?
Thanks,
Wenyi
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
When using OpenSSL TLS, I’m getting an issue similar to
https://github.com/rsyslog/rsyslog/issues/3133.
After some debugging, it turns out that osslEndSess in nsd_ossl.c takes too
long, which exceeds the systemd timeout limit.
The function uses SSL_shutdown together with SSL_read to do a bidirectional
shutdown as described in:
https://www.openssl.org/docs/man1.1.1/man3/SSL_shutdown.html
We don’t want to increase systemd timeout setting and think a
unidirectional shutdown should be good enough for our system. So I patched
nsd_ossl.c to use unidirectional shutdown which resolves the timeout issue.
@@ -1010,7 +1010,9 @@ osslEndSess(nsd_ossl_t *pThis)
if(pThis->bHaveSess) {
DBGPRINTF("osslEndSess: closing SSL Session ...\n");
ret = SSL_shutdown(pThis->ssl);
- if (ret <= 0) {
+ if (ret == 0) {
+ DBGPRINTF("osslEndSess: session closed with
unidirectional shutdown\n");
+ } else if (ret < 0) {
err = SSL_get_error(pThis->ssl, ret);
DBGPRINTF("osslEndSess: shutdown failed with
err = %d\n", err);
Is there any potential issue that might get created by this change?
Thanks,
Wenyi
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.