Hi Wenyi, The only issue I think would be an unclean TLS Session shutdown on the other side. But I think this is acceptable.
Best regards, Andre Lorbach -- Adiscon GmbH Mozartstr. 21 97950 Großrinderfeld, Germany Ph. +49-9349-9298530 Geschäftsführer/President: Rainer Gerhards Reg.-Gericht Mannheim, HRB 560610 Ust.-IDNr.: DE 81 22 04 622 Web: www.adiscon.com - Mail: [email protected] Informations regarding your data privacy policy can be found here: https://www.adiscon.com/data-privacy-policy/ This e-mail may contain confidential and/or privileged information. If you are not the intended recipient or have received this e-mail in error please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Das unerlaubte Kopieren und die unbefugte Weitergabe dieser E-Mail sind nicht gestattet. > -----Ursprüngliche Nachricht----- > Von: rsyslog <[email protected]> Im Auftrag von Wenyi > Cheng via rsyslog > Gesendet: Dienstag, 23. Februar 2021 08:53 > An: [email protected] > Cc: Wenyi Cheng <[email protected]> > Betreff: [rsyslog] Ending an OpenSSL session takes too long > > Hi all, > > When using OpenSSL TLS, I’m getting an issue similar to > https://github.com/rsyslog/rsyslog/issues/3133. > > After some debugging, it turns out that osslEndSess in nsd_ossl.c takes > too > long, which exceeds the systemd timeout limit. > The function uses SSL_shutdown together with SSL_read to do a > bidirectional > shutdown as described in: > https://www.openssl.org/docs/man1.1.1/man3/SSL_shutdown.html > > We don’t want to increase systemd timeout setting and think a > unidirectional > shutdown should be good enough for our system. So I patched nsd_ossl.c to > use unidirectional shutdown which resolves the timeout issue. > > @@ -1010,7 +1010,9 @@ osslEndSess(nsd_ossl_t *pThis) > if(pThis->bHaveSess) { > DBGPRINTF("osslEndSess: closing SSL Session ...\n"); > ret = SSL_shutdown(pThis->ssl); > - if (ret <= 0) { > + if (ret == 0) { > + DBGPRINTF("osslEndSess: session closed with > unidirectional shutdown\n"); > + } else if (ret < 0) { > err = SSL_get_error(pThis->ssl, ret); > DBGPRINTF("osslEndSess: shutdown failed with err = > %d\n", > err); > > Is there any potential issue that might get created by this change? > > Thanks, > Wenyi > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: > This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites > beyond > our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
