Bug 1880436

Summary: Replace GNUTLS_SHUT_RDWR by GNUTLS_SHUT_WR when ending TLS connections
Product: Red Hat Enterprise Linux 7 Reporter: Renaud Métrich <rmetrich>
Component: rsyslogAssignee: Radovan Sroka <rsroka>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.8CC: dapospis, rsroka, sbroz, tjaros
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-12 10:26:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Renaud Métrich 2020-09-18 14:15:56 UTC
This bug was initially created as a copy of Bug #1880434

I am copying this bug because: 

Initially found on RHEL7

Description of problem:

Some TLS servers don't replay to graceful shutdown requests "for optimization".
This results in rsyslog's omfwd+gtls client to wait forever for a reply of the TLS server which never comes, due to shutting down the connection with gnutls_bye(GNUTLS_SHUT_RDWR).

Commands such as "systemctl restart rsyslog" just hang for 1m30 and rsyslogd gets killed upon timeout by systemd.

The hang can be reproduced at will when sending the logs to a Kiwi Syslog server, which apparently doesn't send the TLS reply upon connection termination request.

This is a request to backport PR https://github.com/rsyslog/rsyslog/pull/4424.


Version-Release number of selected component (if applicable):

rsyslog-8


How reproducible:

Always with a Kiwi backend but I don't have this to test myself.


Steps to Reproduce:
1. Stop rsyslog

Actual results:

systemd kills rsyslogd after 1min30

Expected results:

no killing

Comment 2 Renaud Métrich 2020-09-18 14:18:05 UTC
A workaround is to tune rsyslog.service unit to let systemd kill it after 10 seconds instead of regular 1m30 timeout.

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# mkdir -p /etc/systemd/system/rsyslog.service.d
# cat > /etc/systemd/system/rsyslog.service.d/bz1880436.conf << EOF
[Service]
TimeoutStopSec=10s
EOF

# systemctl daemon-reload
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

This cannot be considered as a Solution since the journal will contain error messages due to killing the unit.

Comment 3 Renaud Métrich 2020-09-28 15:59:41 UTC
Please also add PR https://github.com/rsyslog/librelp/pull/220 (for omrelp)