kong
kong copied to clipboard
Kong
Repeated sslhandshake in [tcp-log] plugin
Is there an existing issue for this?
- [X] I have searched the existing issues
Kong version ($ kong version)
master
Current Behavior
I am developing a plugin similar to lua-resty-kafka.
When I am studying the code of lua-resty-kafka, I found out that it has some strategy to avoid repeating sslhandshake.
https://github.com/doujiang24/lua-resty-kafka/blob/3fbed91d81d4fb32d4dda4316f5f2cba04622633/lib/resty/kafka/broker.lua#L144
I also referred to the code of Kong tcp-log plugin and the openresty API manual, then found this Issue. It seems used incorrectly in tcp-log plugin.
session, err = tcpsock:sslhandshake(reused_session?, server_name?, ssl_verify?)
Expected Behavior
https://github.com/Kong/kong/blob/a7bf026a5cf91e376f8cb820e6d8923365f2d581/kong/plugins/tcp-log/handler.lua#L35
In my opinion, the code should be changed to this:
local function log(premature, conf, message)
if premature then
return
end
local host = conf.host
local port = conf.port
local timeout = conf.timeout
local keepalive = conf.keepalive
local sock = ngx.socket.tcp()
sock:settimeout(timeout)
local ok, err = sock:connect(host, port)
if not ok then
kong.log.err("failed to connect to ", host, ":", tostring(port), ": ", err)
sock:close()
return
end
local times, err = sock:getreusedtimes()
if not times then
return nil, "failed to get reused time: " .. tostring(err), true
end
if conf.tls and times == 0 then
ok, err = sock:sslhandshake(true, conf.tls_sni, false)
if not ok then
kong.log.err("failed to perform TLS handshake to ", host, ":", port, ": ", err)
sock:close()
return
end
end
ok, err = sock:send(cjson.encode(message) .. "\n")
if not ok then
kong.log.err("failed to send data to ", host, ":", tostring(port), ": ", err)
end
ok, err = sock:setkeepalive(keepalive)
if not ok then
kong.log.err("failed to keepalive to ", host, ":", tostring(port), ": ", err)
sock:close()
return
end
end
Or like this
local ssl_sessions = {}
local function log(premature, conf, message)
if premature then
return
end
local host = conf.host
local port = conf.port
local timeout = conf.timeout
local keepalive = conf.keepalive
local sock = ngx.socket.tcp()
sock:settimeout(timeout)
local ok, err = sock:connect(host, port)
if not ok then
kong.log.err("failed to connect to ", host, ":", tostring(port), ": ", err)
sock:close()
return
end
if conf.tls then
local session, err = sock:sslhandshake(ssl_sessions[conf.tls_sni], conf.tls_sni, false)
if not session then
kong.log.err("failed to perform TLS handshake to ", host, ":", port, ": ", err)
sock:close()
return
else
ssl_sessions[conf.tls_sni] = session
end
end
ok, err = sock:send(cjson.encode(message) .. "\n")
if not ok then
kong.log.err("failed to send data to ", host, ":", tostring(port), ": ", err)
end
ok, err = sock:setkeepalive(keepalive)
if not ok then
kong.log.err("failed to keepalive to ", host, ":", tostring(port), ": ", err)
sock:close()
return
end
end
Steps To Reproduce
Do you think it makes sense
Anything else?
No response
In Kong, an open-source API gateway, the "Repeated SSL handshake" message can occur when using the tcp-log plugin. The tcp-log plugin allows you to log the raw TCP stream of a request or response. Here's an example of how you can configure the tcp-log plugin in Kong:
- Create a TCP log template file (e.g.,
tcp-log.template):
$ cat tcp-log.template
$request
----------------------------------------
$response
- Configure the
tcp-logplugin for a service or route in Kong:
$ curl -X POST http://localhost:8001/services/{service_id}/plugins \
--data "name=tcp-log" \
--data "config.host=your_log_host" \
--data "config.port=your_log_port" \
--data "[email protected]"
Make sure to replace {service_id}, your_log_host, and your_log_port with the appropriate values for your setup.
- Start sending requests to the service or route associated with the
tcp-logplugin. The requests and responses will be logged to the specified host and port.
If you encounter a "Repeated SSL handshake" message in the Kong logs, it may indicate a problem with the SSL/TLS configuration between Kong and the logging endpoint. Here are a few potential causes and troubleshooting steps:
-
Ensure that the logging endpoint supports SSL/TLS connections and is configured correctly to handle incoming SSL/TLS traffic.
-
Verify that the SSL/TLS certificate used by the logging endpoint is valid and trusted by Kong. Make sure to import the appropriate CA certificates if necessary.
-
Check the Kong configuration for any SSL-related settings, such as
proxy_ssl_certificate,proxy_ssl_certificate_key,proxy_ssl_trusted_certificate, etc., and ensure they are correctly configured for SSL/TLS communication. -
Review the Kong error logs for any additional error messages or stack traces that can help diagnose the issue further.
By addressing these potential causes and troubleshooting steps, you can resolve the "Repeated SSL handshake" issue in the Kong tcp-log plugin configuration.
Thanks for reporting this. Could you write a PR to fix this as it seems you have understood the issue well? https://github.com/Kong/kong/blob/master/CONTRIBUTING.md
