New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Broker ssl/disable_ssl mismatch doesn't complain #837
Comments
@Neverlord isn't this better already with current Broker? |
Apparently not. If I enable INFO logs, I see " initiating connection to ..." and nothing else. I'll look into it. |
Ok, turns out the way TLS does its handshake is the exact opposite of CAF's way. In TLS, the client sends its If I reverse the roles (connecting from SSL-enabled Broker to non-SSL Broker), then CAF complains about an invalid handshake (as it should) and the connecting Broker emits the error It's a CAF issue, so I've opened an issue in CAF's tracker. |
The CAF side of this was merged. We're just waiting on a CAF update to close this. |
As far as I can tell, Zeek |
Instead of only writing them in broker.log, which may be easy to overlook.
In Zeek
option connect = T;
event zeek_init()
{
if ( connect )
Broker::peer("127.0.0.1", 9999/tcp);
else
Broker::listen("127.0.0.1", 9999/tcp);
}
event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
{
print "peer added";
if ( connect )
terminate();
}
event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
{
print "peer lost";
}
event Broker::error(code: Broker::ErrorCode, msg: string)
{
print "error", code, msg;
terminate();
} Start server:
Then expected client behavior happens sometimes:
But other times, goes until ctrl-c:
Flipping the Also, the above examples are being done in a release build: In a debug build, |
@Neverlord can you take a look? I would think this is probably Broker-side, not Zeek. |
@jsiwek thanks for providing the script! Saved me a lot of time. This boils down to CAF immediately dropping a socket if initializing the SSL session fails. In release mode, it seems like the client sends data fast enough so that there's enough data available to determine whether or not the SSL handshake succeeds right away. However, that path did not actually close the socket. Hence the hanging. I have a patch ready: actor-framework/actor-framework#1120. With this change, I can no longer reproduce any hanging in debug or release mode and always get:
|
@Neverlord thanks, I'll take care of adding the Zeek-side test case to wrap this issue up once that CAF-side patch lands. |
Instead of only writing them in broker.log, which may be easy to overlook.
If Zeek has defined to not used ssl with broker (Broker::disable_ssl) and it connects to a remote broker instance expecting SSL, there doesn't seem to be any error message output. I would expect some Broker error to be output but none of the Broker events were generated or anything.
The text was updated successfully, but these errors were encountered: