search

skupperproject / skupper

Skupper is an implementation of a Virtual Application Network, enabling rich hybrid cloud communication.
http://skupper.io
Apache License 2.0
580 stars 70 forks source link

openssl s_client -reconnect causes following connections to fail with timeout #954

Open hash-d opened 1 year ago

hash-d commented 1 year ago

Description

openssl has a debug client called s_client, which in turn has a flag named -reconnect. That flag, according to the man page, "Reconnects to the same server 5 times using the same session ID, this can be used as a test that session caching is working".

Session caching is not supposed to be working on Skupper. However, after running a test with that flag, any ensuing connections time out.

This is possibly a router issue (should this be moved there?), but the steps to reproduce use skupper.

How to reproduce

$ skupper init
$ k create -f /tmp/ssl-server.yaml
$ skupper expose --enable-tls --port 8443 deployment/ssl-server
$ k exec -ti deployment/ssl-server -- openssl s_client -connect ssl-server:8443 # works; try it a few times
$ k exec -ti deployment/ssl-server -- openssl s_client -connect ssl-server:8443 -reconnect # doesn't work anymore
$ k exec -ti deployment/ssl-server -- openssl s_client -connect ssl-server:8443 # new connection, and it does not work anymore

Here, 'works' means that the server responds to any inputs with the reversed input (ie, typing asdf and hitting enter immediatelly gets a response of fdsa). 'Doesn't work', in turn, means that no response is ever sent, even if the openssl s_client output shows a successful TLS connection.

ssl-server.yaml contents:

---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: ssl-server
  name: ssl-server
spec:
  replicas: 1
  selector:
    matchLabels:
      app: ssl-server
  template:
    metadata:
      labels:
        app: ssl-server
    spec:
      containers:
      - command:
        - sh
        - -c
        - microdnf install openssl ; openssl s_server -port 8443 -rev -cert /cert/tls.crt
          -key /cert/tls.key -brief
        image: quay.io/skupper/skupper-tests
        imagePullPolicy: IfNotPresent
        name: skupper-tests
        ports:
        - containerPort: 8443
          protocol: TCP
        volumeMounts:
        - mountPath: /cert
          name: volume-cert
      volumes:
      - name: volume-cert
        secret:
          defaultMode: 420
          secretName: skupper-tls-ssl-server

Alternative setup, imperative, using Openshift's oc to add the volumes.

$ k create deployment ssl-server --image quay.io/skupper/skupper-tests --port 8443 -- sh -c "microdnf install openssl ; openssl s_server -port 8443 -rev -cert /cert/tls.crt -key /cert/tls.key -brief"
$ skupper expose --enable-tls --port 8443 deployment/ssl-server
$ oc set volumes --add --secret-name skupper-tls-ssl-server --path /cert deployment/ssl-server
hash-d commented 1 year ago

Created https://github.com/skupperproject/skupper-router/issues/864; this one will track that one