search

apache / mina-sshd

Apache MINA sshd is a comprehensive Java library for client- and server-side SSH.
https://mina.apache.org/sshd-project/
Apache License 2.0
880 stars 356 forks source link

IOsession.closeNow is resulting GNU TLS error at rsyslog server #598

Closed uppoju closed 1 week ago

uppoju commented 1 week ago

Version

2.2.3

Bug description

After upgrading Mina Core library to 2.2.3 version we starting getting below errors in rsyslog server when the session is closed at client side.

unexpected GnuTLS error -110 in nsd_gtls.c:602: The TLS connection was non-properly terminated. [v8.2404.0 try https://www.rsyslog.com/e/2078 ] Sep 8 22:19:02 apim-qa-ssl-syslog-02 rsyslogd[23506]: netstream session 0x7fbb8000ef00 from 10.52.34.66 will be closed due to error [v8.2404.0 try https://www.rsyslog.com/e/2078 ]

Actual behavior

Session close at client side(mina core session) is causing tls error at rsyslog server.

Expected behavior

Session close should not result in any errors at rsyslog server side.

Relevant log output

Errors with GTLS driver in rsyslog server

: unexpected GnuTLS error -110 in nsd_gtls.c:602: The TLS connection was non-properly terminated.  [v8.2404.0 try https://www.rsyslog.com/e/2078 ]
Sep  8 22:19:02 apim-qa-ssl-syslog-02 rsyslogd[23506]: netstream session 0x7fbb8000ef00 from 10.52.34.66 will be closed due to error [v8.2404.0 try https://www.rsyslog.com/e/2078 ]

Errors with OSSL driver in rsyslog server

6533.415185062:imtcp.c        : nsd_ossl.c: osslRecordRecv: start
6533.415193292:imtcp.c        : net_ossl.c: openssl debugmsg: BIO[0x7fd030005840]: read(15,5) - socket fd=15
6533.415206502:imtcp.c        : net_ossl.c: openssl debugmsg: BIO[0x7fd030005840]: read return 0
6533.415233672:imtcp.c        : net_ossl.c: lastOpenSSLErrorMsg: SSL_ERROR_SYSCALL Error in 'osslRecordRecv': 'error:00000005:lib(0):func(0):DH lib(5)' with ret=0, errno=0(Success), sslapi='SSL_read 1'
6533.415242122:imtcp.c        : errmsg.c: Called LogMsg, msg: SSL_ERROR_SYSCALL Error in 'osslRecordRecv': 'error:00000005:lib(0):func(0):DH lib(5)' with ret=0, errno=0(Success), sslapi='SSL_read 1'

6533.415247902:imtcp.c        : operatingstate.c: osf: MSG SSL_ERROR_SYSCALL Error in 'osslRecordRecv': 'error:00000005:lib(0):func(0):DH lib(5)' with ret=0, errno=0(Success), sslapi='SSL_read 1'
: signaling new internal message via SIGTTOU: 'SSL_ERROR_SYSCALL Error in 'osslRecordRecv': 'error:00000005:lib(0):func(0):DH lib(5)' with ret=0, errno=0(Success), sslapi='SSL_read 1'  [v8.2404.0]'
6533.415297912:imtcp.c        : nsd_ossl.c: osslRecordRecv: SSL_ERROR_SYSCALL Errno 0
6533.415321862:imtcp.c        : nsd_ossl.c: osslRecordRecv return. nsd 0x7fd0300034f0, iRet -1, lenRcvd 0, lenRcvBuf -1, ptrRcvBuf 64
6533.415326952:imtcp.c        : nsd_ossl.c: osslRcv return. nsd 0x7fd0300034f0, iRet -1, lenRcvBuf -1, ptrRcvBuf 64
6533.415332152:imtcp.c        : errmsg.c: Called LogMsg, msg: netstream session 0x7fd030005c30 from 10.52.34.66 will be closed due to error
6533.415336682:imtcp.c        : operatingstate.c: osf: MSG netstream session 0x7fd030005c30 from 10.52.34.66 will be closed due to error: signaling new internal message via SIGTTOU: 'netstream session 0x7fd030005c30 from 10.52.34.66 will be closed due to error [v8.2404.0]'
6533.415360732:imtcp.c        : nsd_ossl.c: nsd_ossl_destruct: [0x7fd0300034f0] Mode 1
6533.415373282:imtcp.c        : nsd_ossl.c: osslEndSess: closing SSL Session ...
6533.415393213:imtcp.c        : net_ossl.c: openssl debugmsg: BIO[0x7fd030005840]: write(15,31) - socket fd=15
6533.415414493:imtcp.c        : net_ossl.c: openssl debugmsg: BIO[0x7fd030005840]: write return 31
6533.415424773:imtcp.c        : nsd_ossl.c: osslEndSess: shutdown failed with err = 5
6533.415431922:imtcp.c        : net_ossl.c: openssl debugmsg: BIO[0x7fd030005840]: read(15,5) - socket fd=15
6533.415522973:imtcp.c        : net_ossl.c: openssl debugmsg: BIO[0x7fd030005840]: read return 0
6533.415608143:imtcp.c        : nsd_ossl.c: osslEndSess: Forcing ssl shutdown SSL_read (0) to do a bidirectional shutdown

Other information

Apache Mina SSHD

tomaswolf commented 1 week ago
  1. Version 2.2.0 is very old (from 2019).
  2. We never issued a version 2.2.3.
  3. We do not have the resources to deal with reports about old versions.
  4. rsyslog is a utility to forward logging to a remote location. Any such logging is beyond Apache MINA sshd.
  5. The SSH protocol has nothing to do with TLS.

In case you are forwarding/tunneling rsyslog through an SSH tunnel using Apache MINA sshd I suggest you upgrade to the newest Apache MINA sshd (currently 2.13.2). There have been significant changes in TCP/IP forwarding since 2.2.0.

tomaswolf commented 1 week ago

Uhm... I just realized that you probably meant to file this issue against Apache MINA 2.2.3, not against Apache MINA sshd. The correct issue tracker would be in JIRA: https://issues.apache.org/jira/projects/DIRMINA .