[Bug 1979070] Re: [2.17.0-0ubuntu1] Many SSL warnings in the ovsdb log

Launchpad Bug Tracker 1979070 at bugs.launchpad.net
Mon Jul 4 14:11:49 UTC 2022 

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: openvswitch (Ubuntu)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to openvswitch in Ubuntu.
https://bugs.launchpad.net/bugs/1979070

Title:
  [2.17.0-0ubuntu1] Many SSL warnings in the ovsdb log

Status in openvswitch package in Ubuntu:
  Confirmed

Bug description:
  There are many repeating warning messages like this in the ovsdb log:

  2022-06-17T14:11:39.298Z|00054|stream_ssl|WARN|SSL_accept: error:0A000126:SSL routines::unexpected eof while reading
  2022-06-17T14:11:39.298Z|00055|jsonrpc|WARN|ssl:127.0.0.1:46472: receive error: Protocol error
  2022-06-17T14:11:39.298Z|00056|reconnect|WARN|ssl:127.0.0.1:46472: connection dropped (Protocol error)
  2022-06-17T14:17:00.454Z|00057|stream_ssl|WARN|SSL_accept: error:0A000126:SSL routines::unexpected eof while reading
  2022-06-17T14:17:00.454Z|00058|jsonrpc|WARN|ssl:127.0.0.1:46476: receive error: Protocol error
  2022-06-17T14:17:00.454Z|00059|reconnect|WARN|ssl:127.0.0.1:46476: connection dropped (Protocol error)

  While they seem harmless, we may need to do something about this as it
  gives false leads to people trying to debug real issues (e.g. with
  networking) in their environments.

  Some references as to why this might be happening:

  https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_options.html
  "SSL_OP_IGNORE_UNEXPECTED_EOF
  Some TLS implementations do not send the mandatory close_notify alert on shutdown. If the application tries to wait for the close_notify alert but the peer closes the connection without sending it, an error is generated. When this option is enabled the peer does not need to send the close_notify alert and a closed connection will be treated as if the close_notify alert was received.

  You should only enable this option if the protocol running over TLS
  can detect a truncation attack itself, and that the application is
  checking for that truncation attack."

  https://github.com/openssl/openssl/issues/18574#issuecomment-1156118884

  $ apt policy openvswitch-common
  openvswitch-common:
    Installed: 2.17.0-0ubuntu1
    Candidate: 2.17.0-0ubuntu1
    Version table:
   *** 2.17.0-0ubuntu1 500
          500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages
          100 /var/lib/dpkg/status

  
  root        5823       1  0 13:19 ?        00:00:01 ovsdb-server -vconsole:off -vfile:info --log-file=/var/log/ovn/ovsdb-server-sb.log --remote=punix:/var/run/ovn/ovnsb_db.sock --pidfile=/var/run/ovn/ovnsb_db.pid --unixctl=/var/run/ovn/ovnsb_db.ctl --remote=db:OVN_Southbound,SB_Global,connections --private-key=/etc/ovn/key_host --certificate=/etc/ovn/cert_host --ca-cert=/etc/ovn/ovn-central.crt --ssl-protocols=db:OVN_Southbound,SSL,ssl_protocols --ssl-ciphers=db:OVN_Southbound,SSL,ssl_ciphers /var/lib/ovn/ovnsb_db.db

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openvswitch/+bug/1979070/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list