Bug 1880436 - Replace GNUTLS_SHUT_RDWR by GNUTLS_SHUT_WR when ending TLS connections
Summary: Replace GNUTLS_SHUT_RDWR by GNUTLS_SHUT_WR when ending TLS connections
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: rsyslog
Version: 7.8
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Radovan Sroka
QA Contact: BaseOS QE Security Team
Depends On:
TreeView+ depends on / blocked
Reported: 2020-09-18 14:15 UTC by Renaud Métrich
Modified: 2020-10-12 10:26 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-10-12 10:26:16 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github rsyslog librelp pull 220 0 None closed gnutls "bugfix": handle receives who break connection on close 2020-10-22 10:05:14 UTC
Github rsyslog rsyslog pull 4424 0 None closed Replace GNUTLS_SHUT_RDWR by GNUTLS_SHUT_WR when ending TLS connections 2020-10-22 10:05:14 UTC
Red Hat Knowledge Base (Solution) 5417021 0 None None None 2020-09-18 15:15:19 UTC

Description Renaud Métrich 2020-09-18 14:15:56 UTC
This bug was initially created as a copy of Bug #1880434

I am copying this bug because: 

Initially found on RHEL7

Description of problem:

Some TLS servers don't replay to graceful shutdown requests "for optimization".
This results in rsyslog's omfwd+gtls client to wait forever for a reply of the TLS server which never comes, due to shutting down the connection with gnutls_bye(GNUTLS_SHUT_RDWR).

Commands such as "systemctl restart rsyslog" just hang for 1m30 and rsyslogd gets killed upon timeout by systemd.

The hang can be reproduced at will when sending the logs to a Kiwi Syslog server, which apparently doesn't send the TLS reply upon connection termination request.

This is a request to backport PR https://github.com/rsyslog/rsyslog/pull/4424.

Version-Release number of selected component (if applicable):


How reproducible:

Always with a Kiwi backend but I don't have this to test myself.

Steps to Reproduce:
1. Stop rsyslog

Actual results:

systemd kills rsyslogd after 1min30

Expected results:

no killing

Comment 2 Renaud Métrich 2020-09-18 14:18:05 UTC
A workaround is to tune rsyslog.service unit to let systemd kill it after 10 seconds instead of regular 1m30 timeout.

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# mkdir -p /etc/systemd/system/rsyslog.service.d
# cat > /etc/systemd/system/rsyslog.service.d/bz1880436.conf << EOF

# systemctl daemon-reload
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

This cannot be considered as a Solution since the journal will contain error messages due to killing the unit.

Comment 3 Renaud Métrich 2020-09-28 15:59:41 UTC
Please also add PR https://github.com/rsyslog/librelp/pull/220 (for omrelp)

Note You need to log in before you can comment on or make changes to this bug.