fluentd icon indicating copy to clipboard operation
fluentd copied to clipboard

Published 20 hours ago verified publisher icon fluent

in_http with TLS from Powershell produces "session id context uninitialized" errors

Open 1tft opened this issue 2 years ago • 4 comments

Describe the bug

Sending data via Powershell (Windows 2016) via TLS 1.2 produces sporadic TLS errors on fluentd server side.

To Reproduce

Using a powershell script (see below) to send data to fluentd HTTPS input. Using fluent HTTPS input definition (no client certificate necessary) below.

Execute powershell script after 8min (sometimeas also after 4min and so on) and you will get regularly powershell and fluentd errors.

Expected behavior

No errors at powershell side and at fluentd side.

Your Environment

- Fluentd version: 1.13.3
- TD Agent version: 4.2.0
- Operating system: Windows 2016 (Powershell) and RHEL8 (fluentd side)
- Kernel version: 4.18.0-305.25.1.el8_4.x86_64

Your Configuration

Powershell Script:

$loginput = @{ datafield = "datavalue"  }
$body = [System.Text.Encoding]::UTF8.GetBytes($($loginput | ConvertTo-Json -Compress))
[System.Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12, [Net.SecurityProtocolType]::Tls13

Invoke-WebRequest -Uri "https://my_fluentd_hostname:8887/" `
 -Method Post `
 -ContentType "application/json; charset=utf-8" `
 -Body $body `
 -ErrorAction 0



Fluentd Input Config:

<source>
  @type http
  port 8887
  bind 0.0.0.0
  <transport tls>
   ca_cert_path /opt/pki/cert.pem
   cert_path /opt/cert/mycert.pem
   private_key_path /opt/cert/mycert_privkey.pem
   min_version TLS1_2
   max_version TLS1_3
  </transport>
  body_size_limit 256k
  keepalive_timeout 600s
  #we parse later
  <parse>
    @type none
    message_key log
  </parse>
</source>

Your Error Log

Invoke-WebRequest : The request was aborted: Could not create SSL/TLS secure channel.
At C:\tmp\request.ps1:15 char:5
+     Invoke-WebRequest -Uri "https://my_fluentd_hostname:8887 ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

On fluentd side you get this error message:
2022-02-14 14:43:10 +0100 [warn]: #0 unexpected error before accepting TLS connection by OpenSSL host="10.120.120.120" port=50404 error_class=OpenSSL::SSL::SSLError error="SSL_accept returned=1 errno=0 state=error: session id context uninitialized"

Additional context

Also tried to with -Headers @{'Cache-Control' = 'no-cache="set-cookie"'} , no success.

Reason for that issue: Maybe fluentd does not implement SSL session resuming like this https://github.com/nim-lang/Nim/pull/15233 server implementation?

1tft avatar Feb 14 '22 15:02 1tft

This issue has been automatically marked as stale because it has been open 90 days with no activity. Remove stale label or comment or this issue will be closed in 30 days

github-actions[bot] avatar May 17 '22 10:05 github-actions[bot]

Did you find the cause? I also see the same issue.

lrsundar avatar Aug 12 '22 16:08 lrsundar

Unfortunately not, so I have to build a workaround with a nginx/haproxy as TLS proxy in front of fluentd. Funny fact: Fluentbit does not support https input at all (https://github.com/fluent/fluent-bit/issues/2772).

1tft avatar Aug 12 '22 16:08 1tft

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 7 days

github-actions[bot] avatar Apr 12 '23 10:04 github-actions[bot]