[
https://issues.apache.org/jira/browse/TS-2548?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13966382#comment-13966382
]
kang li commented on TS-2548:
-----------------------------
Hi [[email protected]],
Could we just call SSLError for SSL_ERROR_SSL error in
SSLNetVConnection::sslServerHandShakeEvent, ssl_read_from_net which like
SSLNetVConnection::sslClientHandShakeEvent,
SSLNetVConnection::load_buffer_and_write do.
I saw your change from SSLError to SSLDebug in serverHandshake in concern that
there may be a lot of error logs. But when I change it to SSLError when
SSL_ERROR_SSL occurs I haven't seen a sharp increase of error logs. Most
handshake errors related to SSL23_GET_CLIENT_HELLO which only occurs when
handshake.
{code}
[Apr 11 09:24:57.447] Server {0x2af704037700} ERROR: SSL::54:error:1407609C:SSL
routines:SSL23_GET_CLIENT_HELLO: http request:s23_srvr.c:418:peer address
is xx.xx.xx.xx
[Apr 11 09:24:57.447] Server {0x2af704037700} ERROR: SSL handshake error
{code}
{code}
-bash-4.1$ grep -R -E "Apr\s11" diags.log | grep "SSL handshake error" | wc -l
848
-bash-4.1$ grep -R -E "Apr\s11" diags.log | grep "ssl_read_from_net" | wc -l
2360
-bash-4.1$ grep -R -E "Apr\s11" diags.log | grep "SSL23_GET_CLIENT_HELLO" | wc
-l
599
{code}
And when we apply the patch of https://issues.apache.org/jira/browse/TS-2096 in
ATS-4.0.2, we see a lot of error logs related to SSL_ERROR_SYSCALL.
{code}
[Mar 25 22:48:05.325] Server {0x2aae19ce9700} ERROR:
[SSL_NetVConnection::ssl_read_from_net] SSL_ERROR_SYSCALL, underlying IO error:
Connection reset by peer
{code}
It happens when some unexpected connection close occurs, ATS would try to
retransmit package several times, this would generate error log several times
which seems too verbose. This would constitute about half of the error logs. A
useful error log should have SSL error info and when it occurred which like
below.
{code}
[Apr 11 09:12:37.988] Server {0x2af702e25700} ERROR: SSL::36:error:14094418:SSL
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1256:SSL alert
number 48:peer address is xx.xx.xx.xx
[Apr 11 09:12:37.988] Server {0x2af702e25700} ERROR:
[SSL_NetVConnection::ssl_read_from_net]
{code}
If you think this fix is reasonable, I'll submit a patch for this.
> Add client IP to SSLError() calls in SSLNetVConnection
> -------------------------------------------------------
>
> Key: TS-2548
> URL: https://issues.apache.org/jira/browse/TS-2548
> Project: Traffic Server
> Issue Type: Improvement
> Components: Logging, SSL
> Reporter: David Carlin
> Fix For: 5.0.0
>
> Attachments: ssl_log_enhancement.diff
>
>
> I asked on IRC if we could put the Client IP in the SSL errors that appear in
> diags.log and /var/log/messages - jpeach replied that it was a matter of
> adding client IP to SSLError() calls in SSLNetVConnection. This would be
> very helpful for troubleshooting.
> Additionally, why are the errors sent to /var/log/messages - writing them to
> only diags.log is preferable.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
