Skip to content

Unbound error spam after openssl 3 update #812

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
brand1970 opened this issue Dec 23, 2022 · 4 comments
Closed

Unbound error spam after openssl 3 update #812

brand1970 opened this issue Dec 23, 2022 · 4 comments
Assignees
@gthess

Comments

@brand1970
Copy link

Describe the bug
Unbound error spam after openssl 3 update (could not SSL_read crypto error:0A000126:SSL routines::unexpected eof while reading.)

To reproduce
Steps to reproduce the behavior:

  1. I use DNS over TLS

Expected behavior
So since openssl 3.0.7 came out, "unbound" has been spamming the journal with errors :
...could not SSL_read crypto error:0A000126:SSL routines::unexpected eof while reading.
My Archlinux system is fully up to date.

System:

  • Unbound version: 1.17.0
  • OS: Archlinux
  • unbound -V output: Configure line: --prefix=/usr --sysconfdir=/etc --localstatedir=/var --sbindir=/usr/bin --disable-rpath --enable-dnscrypt --enable-dnstap --enable-pie --enable-relro-now --enable-subnet --enable-systemd --enable-tfo-client --enable-tfo-server --enable-cachedb --with-libhiredis --with-conf-file=/etc/unbound/unbound.conf --with-pidfile=/run/unbound.pid --with-rootkey-file=/etc/trusted-key.key --with-libevent --with-libnghttp2 --with-pyunbound
    Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 3.0.7 1 Nov 2022
    Linked modules: dns64 cachedb subnetcache respip validator iterator
    DNSCrypt feature available
    TCP Fastopen feature available

Additional information
journalctl -b -u unbound.service

Dec 23 10:56:00 arch-pc systemd[1]: Starting Validating, recursive, and caching DNS resolver...
Dec 23 10:56:01 arch-pc unbound[1108]: [1108:0] notice: init module 0: subnetcache
Dec 23 10:56:01 arch-pc unbound[1108]: [1108:0] notice: init module 1: validator
Dec 23 10:56:01 arch-pc unbound[1108]: [1108:0] notice: init module 2: iterator
Dec 23 10:56:01 arch-pc unbound[1108]: [1108:0] info: start of service (unbound 1.17.0).
Dec 23 10:56:01 arch-pc systemd[1]: Started Validating, recursive, and caching DNS resolver.
Dec 23 10:56:03 arch-pc systemd[1]: Reloading Validating, recursive, and caching DNS resolver...
Dec 23 10:56:03 arch-pc unbound[1108]: [1108:0] info: service stopped (unbound 1.17.0).
Dec 23 10:56:03 arch-pc unbound[1108]: [1108:0] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
Dec 23 10:56:03 arch-pc unbound[1108]: [1108:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0
Dec 23 10:56:03 arch-pc unbound[1108]: [1108:0] notice: Restart of unbound 1.17.0.
Dec 23 10:56:03 arch-pc unbound[1108]: [1108:0] notice: init module 0: subnetcache
Dec 23 10:56:03 arch-pc unbound[1108]: [1108:0] notice: init module 1: validator
Dec 23 10:56:03 arch-pc unbound[1108]: [1108:0] notice: init module 2: iterator
Dec 23 10:56:03 arch-pc unbound[1108]: [1108:0] info: start of service (unbound 1.17.0).
Dec 23 10:56:03 arch-pc systemd[1]: Reloaded Validating, recursive, and caching DNS resolver.
Dec 23 10:56:06 arch-pc unbound[1108]: [1108:0] info: generate keytag query _ta-4f66. NULL IN
Dec 23 10:57:28 arch-pc unbound[1108]: [1108:0] error: could not SSL_read crypto error:0A000126:SSL routines::unexpected eof while reading
Dec 23 10:59:59 arch-pc unbound[1108]: [1108:0] error: could not SSL_read crypto error:0A000126:SSL routines::unexpected eof while reading
Dec 23 11:05:22 arch-pc unbound[1108]: [1108:0] error: could not SSL_read crypto error:0A000126:SSL routines::unexpected eof while reading
Dec 23 11:09:57 arch-pc unbound[1108]: [1108:0] error: could not SSL_read crypto error:0A000126:SSL routines::unexpected eof while reading
Dec 23 11:18:50 arch-pc unbound[1108]: [1108:0] error: could not SSL_read crypto error:0A000126:SSL routines::unexpected eof while reading
Dec 23 11:18:50 arch-pc unbound[1108]: [1108:0] error: could not SSL_read crypto error:0A000126:SSL routines::unexpected eof while reading
Dec 23 11:21:01 arch-pc unbound[1108]: [1108:0] error: could not SSL_read crypto error:0A000126:SSL routines::unexpected eof while reading
@APCBoston
Copy link

I'm also seeing this on Ubuntu 22.01, even after upgrading from Unbound-1.13 (packaged with the distro) to Unbound-1.17.0

@glitsj16
Copy link
Contributor

Same as OP, still an issue on unbound 1.17.1 on Arch Linux.

$ unbound -V
Version 1.17.1

Configure line: --prefix=/usr --sysconfdir=/etc --localstatedir=/var --sbindir=/usr/bin --disable-rpath --enable-dnscrypt --enable-dnstap --enable-pie --enable-relro-now --enable-subnet --enable-systemd --enable-tfo-client --enable-tfo-server --enable-cachedb --with-libhiredis --with-conf-file=/etc/unbound/unbound.conf --with-pidfile=/run/unbound.pid --with-rootkey-file=/etc/trusted-key.key --with-libevent --with-libnghttp2 --with-pyunbound
Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 3.0.7 1 Nov 2022
Linked modules: dns64 cachedb subnetcache respip validator iterator
DNSCrypt feature available
TCP Fastopen feature available

@quantum77
Copy link

quantum77 commented Mar 12, 2023
edited
Loading

Same here. Up-to-date CentOS Stream 9.1, Unbound 1.16.2, OpenSSL 3.0.7. Using DNS-over-TLS.

Oddly it doesn't happen on the unbound server, but does on the clients.

What can we do? This is still Unassigned. Are any devs left?

@JayBrown
Copy link

Same here (on the server, DoT):

unbound[806]: [806:0] error: could not SSL_read crypto error:0A000126:SSL routines::unexpected eof while reading

Ubuntu 22.04.2 LTS (GNU/Linux 5.15.0-67-generic x86_64)
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
unbound: Version 1.13.1

Configure line: --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-option-checking --disable-silent-rules --libdir=${prefix}/lib/x86_64-linux-gnu --libexecdir=${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking --disable-rpath --with-pidfile=/run/unbound.pid --with-rootkey-file=/var/lib/unbound/root.key --with-libevent --with-libnghttp2 --with-pythonmodule --enable-subnet --enable-dnstap --enable-systemd --with-chroot-dir= --with-dnstap-socket-path=/run/dnstap.sock --libdir=/usr/lib
Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 3.0.2 15 Mar 2022
Linked modules: dns64 python subnetcache respip validator iterator

@gthess gthess self-assigned this Mar 17, 2023
@gthess gthess closed this as completed in d7e7761 Mar 17, 2023
jedisct1 added a commit to jedisct1/unbound that referenced this issue Mar 20, 2023
@jedisct1
Merge remote-tracking branch 'nlnet/master'
fa973df 
* nlnet/master:
  - iana portlist update.
  - Fix NLnetLabs#812, fix NLnetLabs#846, by using the SSL_OP_IGNORE_UNEXPECTED_EOF option   to ignore the unexpected eof while reading in openssl >= 3.
  - Fix ssl.h include brackets, instead of quotes.
  - Fix unbound-dnstap-socket test program to reply the finish frame   over a TLS connection correctly.
  - Fix for NLnetLabs#852: Completion of error handling.
  Changelog entry for issue NLnetLabs#825
  Improved comment
  Test cache update from serve-expired and client-subnet-always-forward
  ifdef CLIENT_SUBNET
  Fix issue NLnetLabs#825: interaction between ECS and serve-expired.
@thess thess mentioned this issue Aug 20, 2023
Merged
thess added a commit to thess/OpenWrt-packages that referenced this issue Aug 21, 2023
@thess
Unbound: Silence SSL unexpected eof messages
2a71e17 
Refs: NLnetLabs/unbound#812
      NLnetLabs/unbound#846

This is a backport of: NLnetLabs/unbound@d7e7761
and can be removed with the next release/update of the Unbound package

Signed-off-by: Ted Hess <thess@kitschensync.net>
BKPepe pushed a commit to openwrt/packages that referenced this issue Sep 16, 2023
@thess @BKPepe
Unbound: Silence SSL unexpected eof messages
7843415 
Refs: NLnetLabs/unbound#812
      NLnetLabs/unbound#846

This is a backport of: NLnetLabs/unbound@d7e7761
and can be removed with the next release/update of the Unbound package

Signed-off-by: Ted Hess <thess@kitschensync.net>
(cherry picked from commit 2a71e17)
lu-zero pushed a commit to domo-iot/packages that referenced this issue Oct 23, 2023
@thess @lu-zero
Unbound: Silence SSL unexpected eof messages
d6931ef 
Refs: NLnetLabs/unbound#812
      NLnetLabs/unbound#846

This is a backport of: NLnetLabs/unbound@d7e7761
and can be removed with the next release/update of the Unbound package

Signed-off-by: Ted Hess <thess@kitschensync.net>
BKPepe pushed a commit to openwrt/packages that referenced this issue Feb 17, 2024
@thess @BKPepe
Unbound: Silence SSL unexpected eof messages
cf077e7 
Refs: NLnetLabs/unbound#812
      NLnetLabs/unbound#846

This is a backport of: NLnetLabs/unbound@d7e7761
and can be removed with the next release/update of the Unbound package

Signed-off-by: Ted Hess <thess@kitschensync.net>
(cherry picked from commit 2a71e17)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gthess gthess

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@JayBrown @glitsj16 @gthess @quantum77 @brand1970 @APCBoston