wget reset https connection when tls response server hello

Question

wget reset https connection when tls response server hello

mYu4N opened this issue 2 years ago · comments

mYu4N commented 2 years ago

Background:

Using busybox as init containers with commands as below, the wget failed.
args:
wget -O /agent-dir/agent.zip https://infc.oss-cn-haal..com/agent/adm****ent/agent-2.7.0.zip

errorlog ex:

wget https://www.baidu.com

Connecting to www.baidu.com (180.97.34.96:443)
wget: note: TLS certificate validation not implemented
wget: error getting response: Connection reset by peer

Env:

busybox image version ：latest (2023.1.10 1.36.0)
wget -v
wget: invalid option -- 'v'
BusyBox v1.36.0 (2023-01-03 22:42:57 UTC) multi-call binary.

Issue :

in the scenario of https communitation, the wget client sends "finack" and closes the connection before a "server hello" arrives. Refer to the tcpdump traces
as below

Workaround:

Replace image version to 1.34.0, it works

mYu4N · Answer 1 · Wed Jan 11 2023 11:16:09 GMT+0800 (China Standard Time)

like this issue：
wurstmeister/kafka-docker#487

linuxkit/linuxkit#193

i hope busybox fix it

kstack:
[2023-01-10 17:34:26.893488 ] [4026532314] b'nil' 000000000000 T_ACK,RST:10.246.0.198:60674->59.110.185.4:443 ffff974ef8a31400.0:b'ip_output'
b'ip_output+0x1'
b'__ip_queue_xmit+0x196'
b'__tcp_transmit_skb+0x89b'
b'tcp_send_active_reset+0xf5'
b'tcp_close+0x13d'
b'inet_release+0x42'
b'__sock_release+0x3d'
b'sock_close+0x11'
b'__fput+0x96'
b'task_work_run+0x5c'
b'do_exit+0x228'
b'do_group_exit+0x33'
b'get_signal+0x152'
b'arch_do_signal+0x2a'
b'exit_to_user_mode_loop+0x8d'
b'exit_to_user_mode_prepare+0x6e'
b'irqentry_exit_to_user_mode+0x5'
b'asm_exc_invalid_op+0x12'

mYu4N · Answer 2 · Fri Jan 13 2023 14:32:27 GMT+0800 (China Standard Time)

resvq Accumulation，so，when close socket send reset
1.36.0 busybox ca-cert is wrong

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 1 10.246.0.201:53942 180.97.34.96:443 SYN_SENT 3502234/wget
tcp 0 110 10.246.0.201:53942 180.97.34.96:443 ESTABLISHED -
tcp 0 0 10.246.0.201:53942 180.97.34.96:443 ESTABLISHED 3502242/wget
tcp 5248 0 10.246.0.201:53942 180.97.34.96:443 ESTABLISHED 3502242/wget
tcp 5248 0 10.246.0.201:53942 180.97.34.96:443 ESTABLISHED 3502242/wget
tcp 5248 0 10.246.0.201:53942 180.97.34.96:443 ESTABLISHED 3502242/wget
tcp 5248 0 10.246.0.201:53942 180.97.34.96:443 ESTABLISHED 3502242/wget
tcp 5248 0 10.246.0.201:53942 180.97.34.96:443 ESTABLISHED 3502242/wget
tcp 5248 0 10.246.0.201:53942 180.97.34.96:443 ESTABLISHED 3502242/wget
tcp 5248 0 10.246.0.201:53942 180.97.34.96:443 ESTABLISHED 3502242/wget
tcp 5248 0 10.246.0.201:53942 180.97.34.96:443 ESTABLISHED 3502242/wget
tcp 5248 0 10.246.0.201:53942 180.97.34.96:443 ESTABLISHED 3502242/wget
tcp 5248 0 10.246.0.201:53942 180.97.34.96:443 ESTABLISHED 3502242/wget