-
Notifications
You must be signed in to change notification settings - Fork 139
sslyze appearing to stall out on some domains #138
Comments
cc @h-m-f-t if you've seen anything like this in your own work |
These two look familiar; I'm pretty certain they threw occasional errors in the early days of pshtt (which probably would have relied on now-defunct capabilities of sslyze). I don't think anything was done client-side to remediate, other than a later re-scan. |
@konklone and @h-m-f-t, I submitted #148 because I was seeing something like this with I don't know if something similar could be happening inside of |
I think I have a decent fix for this in #151. While it doesn't totally identify the root cause, it refactors the tool to use the sslyze library directly, in Python, which cuts down our level of process spawning and indirection. Early signs show that it appears to be making a significant impact on reliability and mitigating zombie processes. |
Unfortunately, even using #151, there are still stuck processes. They manifest differently -- not as I attached to one of them, which had been stuck for over a day, with
|
@konklone, I learned recently that You can read more here. I found that I didn't need to do the I hope that helps some. It looks like you're stuck waiting on a mutex, like you said. Using the |
After trying this with synchronous and concurrent sslyze scanners, and adjusting worker counts, it looks like one of the problems (now and historically) has simply been running out of memory on the machine, and the kernel killing processes. When I use a synchronous scanner, which runs sslyze in-process, the main domain-scan process/workers are what get killed, which surfaces the error more directly and results in a full cessation of the overall scan. But there are logs in I'm not sure what the next step is here yet, though I may just run sslyze in |
I'm closing this with the merge of #151, and will re-open if I continue to see this behavior. |
I don't have enough information to report a bug yet. When I checked on our server, the sslyze scans had stalled out with 9 in-flight, with a bunch of
defunct
sslyze processes. These were the domains:But when I ran a scan using
sslyze
on all 9 of those in a row, using--serial
, none of them stalled out. So I'm not totally sure how to reproduce this.The text was updated successfully, but these errors were encountered: