You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Using Forward Output Plugin with TLS. Hostname is an IP address. Server certificate contains it's correct IP in it's SubjectAlternativeNames extention. tls_verify_hostname is switched to on.
The TLS connection to the server is not established: address family must be specified
On server side: close socket due to unexpected ssl error: SSL_read: unexpected eof while reading
Works if the hostname is a name (not an IP).
Works if the hostname is an IP and tls_verify_hostname is off.
Have fluentd running on the server side with:
root certificate
server certificate with AlternativeSubjectName extention containing the IP address of the server
server key
Start fluentd on client side with:
root certificate
client certificate
client key
TLS config with tls_insecure_mode false and tls_verify_hostname true
Now, with every send of the heartbeat, you will see the error below.
The attached file contains all certificates etc. to reproduce the behaviour together with the server- and client configurations below. Your server must have the IP 192.168.55.11. tls.zip
Expected behavior
The TLS connection should be established successfully and heartbeat and other data should be send.
On client side:
2023-07-18 06:19:27 +0000 [trace]: #0 fluent/log.rb:317:trace: sending heartbeat host="192.168.55.11" port=24224 heartbeat_type=:transport
2023-07-18 06:19:27 +0000 [debug]: #0 fluent/log.rb:339:debug: connect new socket
2023-07-18 06:19:27 +0000 [trace]: #0 fluent/log.rb:317:trace: loading system default certificate store
2023-07-18 06:19:27 +0000 [trace]: #0 fluent/log.rb:317:trace: adding CA cert path="/fluentd/etc/fluent-root.crt"
2023-07-18 06:19:27 +0000 [trace]: #0 fluent/log.rb:317:trace: setting TLS context mode="peer" ciphers="ALL:!aNULL:!eNULL:!SSLv2"
2023-07-18 06:19:28 +0000 [trace]: #0 fluent/log.rb:317:trace: entering TLS handshake
2023-07-18 06:19:28 +0000 [trace]: #0 fluent/log.rb:317:trace: enqueueing all chunks in buffer instance=2180
2023-07-18 06:19:28 +0000 [trace]: #0 fluent/log.rb:317:trace: enqueueing all chunks in buffer instance=2220
2023-07-18 06:19:28 +0000 [trace]: #0 fluent/log.rb:317:trace: checking peer's certificate subject=#<OpenSSL::X509::Name CN=--backoffice-->
2023-07-18 06:19:28 +0000 [debug]: #0 fluent/log.rb:339:debug: unexpected error happen during heartbeat host="192.168.55.11" port=24224 heartbeat_type=:transport error_class=IPAddr::AddressFamilyError error="address family must be specified"
On server side:
2023-07-18 06:19:28 +0000 [warn]: #0 fluent/log.rb:381:warn: close socket due to unexpected ssl error: SSL_read: unexpected eof while reading
2023-07-18 06:19:28 +0000 [warn]: #0 fluent/log.rb:381:warn: close socket due to unexpected ssl error: SSL_read: unexpected eof while reading
Additional context
The root cause of the problem is in Ruby. The method parsing the IP address raises the exception. It raises always the exception if the hostname is a string containing an IP.
Describe the bug
Using Forward Output Plugin with TLS. Hostname is an IP address. Server certificate contains it's correct IP in it's SubjectAlternativeNames extention. tls_verify_hostname is switched to on.
The TLS connection to the server is not established: address family must be specified
On server side: close socket due to unexpected ssl error: SSL_read: unexpected eof while reading
Works if the hostname is a name (not an IP).
Works if the hostname is an IP and tls_verify_hostname is off.
The problem is in the Ruby implementation. A bug is existing, see
https://bugs.ruby-lang.org/issues/19770
To Reproduce
Have fluentd running on the server side with:
root certificate
server certificate with AlternativeSubjectName extention containing the IP address of the server
server key
Start fluentd on client side with:
root certificate
client certificate
client key
TLS config with tls_insecure_mode false and tls_verify_hostname true
Now, with every send of the heartbeat, you will see the error below.
The attached file contains all certificates etc. to reproduce the behaviour together with the server- and client configurations below. Your server must have the IP 192.168.55.11.
tls.zip
Expected behavior
The TLS connection should be established successfully and heartbeat and other data should be send.
Your Environment
Your Configuration
Your Error Log
Additional context
The root cause of the problem is in Ruby. The method parsing the IP address raises the exception. It raises always the exception if the hostname is a string containing an IP.
This problem is already communicated to Ruby, see:
https://bugs.ruby-lang.org/issues/19770
To make your product more reliable, please support to fix that problem :-)
The text was updated successfully, but these errors were encountered: