Ubuntu
openvswitch package

[2.17.0-0ubuntu1] Many SSL warnings in the ovsdb log

Bug #1979070 reported by Dmitrii Shcherbakov
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openvswitch (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

There are many repeating warning messages like this in the ovsdb log:

2022-06-17T14:11:39.298Z|00054|stream_ssl|WARN|SSL_accept: error:0A000126:SSL routines::unexpected eof while reading
2022-06-17T14:11:39.298Z|00055|jsonrpc|WARN|ssl:127.0.0.1:46472: receive error: Protocol error
2022-06-17T14:11:39.298Z|00056|reconnect|WARN|ssl:127.0.0.1:46472: connection dropped (Protocol error)
2022-06-17T14:17:00.454Z|00057|stream_ssl|WARN|SSL_accept: error:0A000126:SSL routines::unexpected eof while reading
2022-06-17T14:17:00.454Z|00058|jsonrpc|WARN|ssl:127.0.0.1:46476: receive error: Protocol error
2022-06-17T14:17:00.454Z|00059|reconnect|WARN|ssl:127.0.0.1:46476: connection dropped (Protocol error)

While they seem harmless, we may need to do something about this as it gives false leads to people trying to debug real issues (e.g. with networking) in their environments.

Some references as to why this might be happening:

https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_options.html
"SSL_OP_IGNORE_UNEXPECTED_EOF
Some TLS implementations do not send the mandatory close_notify alert on shutdown. If the application tries to wait for the close_notify alert but the peer closes the connection without sending it, an error is generated. When this option is enabled the peer does not need to send the close_notify alert and a closed connection will be treated as if the close_notify alert was received.

You should only enable this option if the protocol running over TLS can detect a truncation attack itself, and that the application is checking for that truncation attack."

https://github.com/openssl/openssl/issues/18574#issuecomment-1156118884

$ apt policy openvswitch-common
openvswitch-common:
  Installed: 2.17.0-0ubuntu1
  Candidate: 2.17.0-0ubuntu1
  Version table:
 *** 2.17.0-0ubuntu1 500
        500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages
        100 /var/lib/dpkg/status

root 5823 1 0 13:19 ? 00:00:01 ovsdb-server -vconsole:off -vfile:info --log-file=/var/log/ovn/ovsdb-server-sb.log --remote=punix:/var/run/ovn/ovnsb_db.sock --pidfile=/var/run/ovn/ovnsb_db.pid --unixctl=/var/run/ovn/ovnsb_db.ctl --remote=db:OVN_Southbound,SB_Global,connections --private-key=/etc/ovn/key_host --certificate=/etc/ovn/cert_host --ca-cert=/etc/ovn/ovn-central.crt --ssl-protocols=db:OVN_Southbound,SSL,ssl_protocols --ssl-ciphers=db:OVN_Southbound,SSL,ssl_ciphers /var/lib/ovn/ovnsb_db.db

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openvswitch (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.