Describe the bug
Fluentd in_forward plugin is spamming logs (~23 messages per second) when client with old (eg. rotated) SSL certificates is trying to connect. These log messages however does not contain any useful information to find out which client is broken.
2021-03-31 08:08:58 +0000 [warn]: #1 unexpected error before accepting TLS connection by OpenSSL error_class=OpenSSL::SSL::SSLError error="SSL_accept SYSCALL returned=5 errno=0 state=SSLv3/TLS write server done"
2021-03-31 08:08:58 +0000 [warn]: #1 unexpected error before accepting TLS connection by OpenSSL error_class=OpenSSL::SSL::SSLError error="SSL_accept returned=1 errno=0 state=error: sslv3 alert bad certificate"
2021-03-31 08:08:58 +0000 [warn]: #0 unexpected error before accepting TLS connection by OpenSSL error_class=OpenSSL::SSL::SSLError error="SSL_accept returned=1 errno=0 state=error: sslv3 alert bad certificate"
2021-03-31 08:08:58 +0000 [warn]: #1 unexpected error before accepting TLS connection by OpenSSL error_class=OpenSSL::SSL::SSLError error="SSL_accept SYSCALL returned=5 errno=0 state=SSLv3/TLS write server done"
2021-03-31 08:08:58 +0000 [warn]: #1 unexpected error before accepting TLS connection by OpenSSL error_class=OpenSSL::SSL::SSLError error="SSL_accept SYSCALL returned=5 errno=0 state=SSLv3/TLS write server done"
2021-03-31 08:08:58 +0000 [warn]: #1 unexpected error before accepting TLS connection by OpenSSL error_class=OpenSSL::SSL::SSLError error="SSL_accept returned=1 errno=0 state=error: sslv3 alert bad certificate"
2021-03-31 08:08:58 +0000 [warn]: #1 unexpected error before accepting TLS connection by OpenSSL error_class=OpenSSL::SSL::SSLError error="SSL_accept returned=1 errno=0 state=error: tlsv1 alert unknown ca"
2021-03-31 08:08:58 +0000 [warn]: #1 unexpected error before accepting TLS connection by OpenSSL error_class=OpenSSL::SSL::SSLError error="SSL_accept returned=1 errno=0 state=error: sslv3 alert bad certificate"
2021-03-31 08:08:58 +0000 [warn]: #1 unexpected error before accepting TLS connection by OpenSSL error_class=OpenSSL::SSL::SSLError error="SSL_accept returned=1 errno=0 state=error: sslv3 alert bad certificate"
2021-03-31 08:08:58 +0000 [warn]: #1 unexpected error before accepting TLS connection by OpenSSL error_class=OpenSSL::SSL::SSLError error="SSL_accept returned=1 errno=0 state=error: sslv3 alert bad certificate"
2021-03-31 08:08:58 +0000 [warn]: #1 unexpected error before accepting TLS connection by OpenSSL error_class=OpenSSL::SSL::SSLError error="SSL_accept returned=1 errno=0 state=error: sslv3 alert bad certificate"
2021-03-31 08:08:58 +0000 [warn]: #1 unexpected error before accepting TLS connection by OpenSSL error_class=OpenSSL::SSL::SSLError error="SSL_accept returned=1 errno=0 state=error: sslv3 alert bad certificate"
2021-03-31 08:08:58 +0000 [warn]: #1 unexpected error before accepting TLS connection by OpenSSL error_class=OpenSSL::SSL::SSLError error="SSL_accept returned=1 errno=0 state=error: sslv3 alert bad certificate"
2021-03-31 08:08:58 +0000 [warn]: #1 unexpected error before accepting TLS connection by OpenSSL error_class=OpenSSL::SSL::SSLError error="SSL_accept returned=1 errno=0 state=error: tlsv1 alert unknown ca"
2021-03-31 08:08:58 +0000 [warn]: #1 unexpected error before accepting TLS connection by OpenSSL error_class=OpenSSL::SSL::SSLError error="SSL_accept returned=1 errno=0 state=error: tlsv1 alert unknown ca"
2021-03-31 08:08:58 +0000 [warn]: #1 unexpected error before accepting TLS connection by OpenSSL error_class=OpenSSL::SSL::SSLError error="SSL_accept returned=1 errno=0 state=error: tlsv1 alert unknown ca"
2021-03-31 08:08:58 +0000 [warn]: #0 unexpected error before accepting TLS connection by OpenSSL error_class=OpenSSL::SSL::SSLError error="SSL_accept returned=1 errno=0 state=error: sslv3 alert bad certificate"
2021-03-31 08:08:58 +0000 [warn]: #1 unexpected error before accepting TLS connection by OpenSSL error_class=OpenSSL::SSL::SSLError error="SSL_accept returned=1 errno=0 state=error: tlsv1 alert unknown ca"
2021-03-31 08:08:58 +0000 [warn]: #1 unexpected error before accepting TLS connection by OpenSSL error_class=OpenSSL::SSL::SSLError error="SSL_accept returned=1 errno=0 state=error: tlsv1 alert unknown ca"
2021-03-31 08:08:58 +0000 [warn]: #1 unexpected error before accepting TLS connection by OpenSSL error_class=OpenSSL::SSL::SSLError error="SSL_accept returned=1 errno=0 state=error: tlsv1 alert unknown ca"
2021-03-31 08:08:58 +0000 [warn]: #1 unexpected error before accepting TLS connection by OpenSSL error_class=OpenSSL::SSL::SSLError error="SSL_accept returned=1 errno=0 state=error: tlsv1 alert unknown ca"
2021-03-31 08:08:58 +0000 [warn]: #1 unexpected error before accepting TLS connection by OpenSSL error_class=OpenSSL::SSL::SSLError error="SSL_accept returned=1 errno=0 state=error: tlsv1 alert unknown ca"
2021-03-31 08:08:58 +0000 [warn]: #1 unexpected error before accepting TLS connection by OpenSSL error_class=OpenSSL::SSL::SSLError error="SSL_accept returned=1 errno=0 state=error: tlsv1 alert unknown ca"
To Reproduce
Expected behavior
- log message should tell which client is misconfigured (at least IP address)
- ideally it should reduce log count or block the client
Your Environment
Your Configuration
<source>
@type forward
port 24224
bind 0.0.0.0
source_address_key _forward_source_address
source_hostname_key _forward_source_hostname
<transport tls>
version TLSv1_2
cert_path /secrets/identity/server.crt
private_key_path /secrets/identity/server.key
ca_path /secrets/identity/client_ca_with_fluent.crt
client_cert_auth true
</transport>
</source>
Your Error Log
Additional context
Describe the bug
Fluentd in_forward plugin is spamming logs (~23 messages per second) when client with old (eg. rotated) SSL certificates is trying to connect. These log messages however does not contain any useful information to find out which client is broken.
To Reproduce
Expected behavior
Your Environment
Your Configuration
Your Error Log
Additional context