-
Notifications
You must be signed in to change notification settings - Fork 579
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🪵Log TLS shutdown error🛑, only if any #10259
Comments
💡 We already override async_handshake(), so we can do with async_shutdown(). |
That sounds like you also want to read inside
Yes, but the additional context was that I started to implement a clean shutdown of our JSON-RPC connections. Clean shutdown meaning that one node initiates the shutdown, closing only it's write direction and then still processing incoming messages from the peer until it has noticed that the connection is being closed1 and closes it's write direction in response2. So this would conflict doing any read in that TLS shutdown method as the reads still have to be handled by the normal JSON-RPC message processing until that reads EOF. Footnotes
|
Well, I'd call SSL_shutdown() exactly once. ASIO calls it twice, that triggers "application data after close notify".
OK, this indeed adds a lot of context to what you told me before. I thought we can:
*) Apparently we don't care for any incoming messages on shutdown: #10213 Given your solution, I guess we'd have to:
|
Describe the bug
Currently, we call
boost::asio::ssl::stream::async_shutdown()
and ignore the error. We shall log it!But only if there's an actual error, i.e not a false positive which unnecessarily scares the user. Currently we even have such:
To Reproduce
With this patch, running
(echo '1000000:'; cat /dev/zero) |openssl s_client -connect 127.0.0.1:5665
against Icinga 2 results in:[2024-11-26 18:04:16 +0100] critical/JsonRpcConnection: API client disconnected for identity '': application data after close notify (SSL routines)
This is due to how Boost ASIO shuts down SSL – it (often) calls SSL_shutdown() twice. Once for notifying the peer and the second time to mark the connection as shut down. The peer may even not have time to ack the termination. And when it does, we're passively aggressive via the above log message.
Expected behavior
Screenshots
Your Environment
Include as many relevant details about the environment you experienced the problem in
icinga2 --version
): mastericinga2 feature list
): apiicinga2 daemon -C
):zones.conf
file (oricinga2 object list --type Endpoint
andicinga2 object list --type Zone
) from all affected nodes.Additional context
Digged out by @julianbrost IIRC.
The text was updated successfully, but these errors were encountered: