Comments (1)
The man page for SSL_get_error() list a number of functions to which it applies, which includes SSL_shutdown(), and so I think ERR_clear_error() should also be called before the two calls of SSL_shutdown(). keepalived does not use any of the other functions listed.
However, I think the patch will not work as a solution; in fact I think we have a severe problem.
The SSL_get_error(3) man page states:
In addition to ssl and ret, SSL_get_error() inspects the current thread's OpenSSL error queue. Thus, SSL_get_error() must be used in the same thread that performed the TLS/SSL I/O operation, and no other OpenSSL function calls should appear in between. The current thread's error queue must be empty before the TLS/SSL I/O operation is attempted, or SSL_get_error() will not work reliably.
The last sentence says we need to ensure that the thread's error queue is empty before we call SSL_connect(), SSL_read(), SSL_write() or SSL_shutdown(), so either we must call ERR_clear_error() before any of the SSL functions, or after an error we need to ensure we read all the errors, which is a solution I prefer since we ought to process all the errors and not just throw them away.
The problem is the second sentence above "... and no other OpenSSL function calls should appear in between."
. Apart from it being unclear what between
refers to, the real problem is that keepalived can have SSL connection open simultaneously for each SSL_CHECK. If an error is returned from any SSL_* call, SSL_get_error() will return errors not only for the particular connection, but also for errors that have occurred on any other SSL connection that are on the OpenSSL error queue. Calling ERR_clear_error() before all SSL_* function calls could mean that errors are discarded without being processed.
There are two possible solutions that I can see (but only 1 can work for keepalived):
- Only run one SSL_GET checker at a time (this won't scale for large configurations with a large number of SSL_GET checkers)
- Run each SSL_GET checker in a separate process thread (i.e. using pthread_create()).
The problem with option 2 is that (except for DBus) we do not use pthreads, and this would require a not insignificant architecture change for keepalived.
I will think on about this and see if I can work out the best solution. It might need reading the openSSL code to really understand how it works, but I would rather avoid that.
from keepalived.
Related Issues (20)
- Reload segfaults if routes are defined HOT 2
- VIPs are not cleaned up when the keepaived process is killed. HOT 1
- Swap virtual_router_id of two vrrp instance(same interface) cause vip loss when reload HOT 2
- Notifications rejected by Exchange Online when From includes a display name HOT 1
- Can keepalived control the appending order of IPv6 protocol stack IPs? HOT 2
- Can the order of adding IPv6 to keepalived be controlled HOT 1
- healthchecker runtime error on check_data.h HOT 12
- How to implement two mutual exclusive VIPs HOT 4
- vip appears on both machines HOT 2
- Keepalived VIP not getting original source IP of the request to VIP HOT 3
- FIFO process seems to be killed prematurely before stop command terminates HOT 5
- keepalived on Wi-Fi - network delay HOT 4
- After restart NIC, keepalived can not become master state HOT 6
- What is the correct way to disable preempt for keepalived HOT 4
- vrrp_script; Cannot find script docker in path - disabling HOT 3
- The old virtual_ipaddress_excluded has not been deleted after reconfig vlan interface HOT 9
- keepalived Docker Image Build Failed HOT 8
- unable to recover from split brain problem HOT 2
- Configure virtual server only on master but not on backups HOT 5
- v2.2.8: nopreempt is configured, the notify_xxx method will not be triggered. HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from keepalived.