fluentd
fluentd copied to clipboard
in_http with TLS from Powershell produces "session id context uninitialized" errors
Describe the bug
Sending data via Powershell (Windows 2016) via TLS 1.2 produces sporadic TLS errors on fluentd server side.
To Reproduce
Using a powershell script (see below) to send data to fluentd HTTPS input. Using fluent HTTPS input definition (no client certificate necessary) below.
Execute powershell script after 8min (sometimeas also after 4min and so on) and you will get regularly powershell and fluentd errors.
Expected behavior
No errors at powershell side and at fluentd side.
Your Environment
- Fluentd version: 1.13.3
- TD Agent version: 4.2.0
- Operating system: Windows 2016 (Powershell) and RHEL8 (fluentd side)
- Kernel version: 4.18.0-305.25.1.el8_4.x86_64
Your Configuration
Powershell Script:
$loginput = @{ datafield = "datavalue" }
$body = [System.Text.Encoding]::UTF8.GetBytes($($loginput | ConvertTo-Json -Compress))
[System.Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12, [Net.SecurityProtocolType]::Tls13
Invoke-WebRequest -Uri "https://my_fluentd_hostname:8887/" `
-Method Post `
-ContentType "application/json; charset=utf-8" `
-Body $body `
-ErrorAction 0
Fluentd Input Config:
<source>
@type http
port 8887
bind 0.0.0.0
<transport tls>
ca_cert_path /opt/pki/cert.pem
cert_path /opt/cert/mycert.pem
private_key_path /opt/cert/mycert_privkey.pem
min_version TLS1_2
max_version TLS1_3
</transport>
body_size_limit 256k
keepalive_timeout 600s
#we parse later
<parse>
@type none
message_key log
</parse>
</source>
Your Error Log
Invoke-WebRequest : The request was aborted: Could not create SSL/TLS secure channel.
At C:\tmp\request.ps1:15 char:5
+ Invoke-WebRequest -Uri "https://my_fluentd_hostname:8887 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
On fluentd side you get this error message:
2022-02-14 14:43:10 +0100 [warn]: #0 unexpected error before accepting TLS connection by OpenSSL host="10.120.120.120" port=50404 error_class=OpenSSL::SSL::SSLError error="SSL_accept returned=1 errno=0 state=error: session id context uninitialized"
Additional context
Also tried to with -Headers @{'Cache-Control' = 'no-cache="set-cookie"'}
, no success.
Reason for that issue: Maybe fluentd does not implement SSL session resuming like this https://github.com/nim-lang/Nim/pull/15233 server implementation?
This issue has been automatically marked as stale because it has been open 90 days with no activity. Remove stale label or comment or this issue will be closed in 30 days
Did you find the cause? I also see the same issue.
Unfortunately not, so I have to build a workaround with a nginx/haproxy as TLS proxy in front of fluentd. Funny fact: Fluentbit does not support https input at all (https://github.com/fluent/fluent-bit/issues/2772).
This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 7 days