Package: keepalived
Version: 1:2.2.7-1
I'm upgrading our servers from Bullseye to Bookworm. Some of them act as load balancers using keepalived.
Right now I have one Bullseye and one Bookworm with the same configuration checking the same services.
Several of our services are running on HTTPS therefore I'm using SSL_CHECK.
I can see that the Bookworm one occasionally fails SSL_CHECK for several seconds on one service while the
Bullseye does not report any problem at all.
It's quite rare - not even once per hour with 2s loop delay.
I was looking for possible reason and I've found
https://github.com/openssl/openssl/issues/20365https://github.com/pjsip/pjproject/issues/3632https://stackoverflow.com/questions/18179128/how-to-manage-the-error-queue-in-openssl-ssl-get-error-and-err-get-error
They are all basically saying that you can have multiple SSL errors left in error queue and you are supposed to
run|ERR_get_error() before calling |SSL_* functions.
I've tried to patch keepalived sources (see attachment) and the problem seems to disappear.
I have no idea why is Bullseye package unaffected. It might be related to different OpenSSL version.
What do you think about this?
--
Pavel Matěja
Acknowledgement sent
to Vincent Bernat <[email protected]>:
Extra info received and forwarded to list. Copy sent to Vincent Bernat <[email protected]>.
(Wed, 04 Oct 2023 09:39:03 GMT) (full text, mbox, link).
Hello Pavel,
I'll be more comfortable if you submitted this patch upstream first.
On 2023-09-25 12:48, Pavel Matěja wrote:
> Package: keepalived
> Version: 1:2.2.7-1
>
> I'm upgrading our servers from Bullseye to Bookworm. Some of them act as load balancers using keepalived.
> Right now I have one Bullseye and one Bookworm with the same configuration checking the same services.
> Several of our services are running on HTTPS therefore I'm using SSL_CHECK.
> I can see that the Bookworm one occasionally fails SSL_CHECK for several seconds on one service while the
> Bullseye does not report any problem at all.
> It's quite rare - not even once per hour with 2s loop delay.
>
> I was looking for possible reason and I've found
> https://github.com/openssl/openssl/issues/20365
> https://github.com/pjsip/pjproject/issues/3632
> https://stackoverflow.com/questions/18179128/how-to-manage-the-error-queue-in-openssl-ssl-get-error-and-err-get-error
>
> They are all basically saying that you can have multiple SSL errors left in error queue and you are supposed to
> run|ERR_get_error() before calling |SSL_* functions.
>
> I've tried to patch keepalived sources (see attachment) and the problem seems to disappear.
>
> I have no idea why is Bullseye package unaffected. It might be related to different OpenSSL version.
>
> What do you think about this?
>
> --
> Pavel Matěja
>
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.