Giters

yrutschle / sslh

Applicative Protocol Multiplexer (e.g. share SSH and HTTPS on the same port)

Home Page:https://www.rutschle.net/tech/sslh/README.html

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

sslh-select is timing out and giving a getpeername error "Bad file descriptor"

dm9bbadd4 opened this issue · comments

commented

SSLH version 1.22

This is the error I'm getting when I try to access a webapp I am proxying through Nginx:

Aug 17 18:49:54 bigboyserver sslh[33956]: common.c:323:getpeername:9:Bad file descriptor
Aug 17 18:49:54 bigboyserver sslh[33956]: closing fd 0
Aug 17 18:49:54 bigboyserver sslh[33956]: timed out, connect to timeout
Aug 17 18:49:54 bigboyserver sslh[33956]: Inconsistent probing: cnx=abba7af0p
Aug 17 18:49:54 bigboyserver sslh[33956]: Inconsistent probing: state=-1413842192
Aug 17 18:49:54 bigboyserver sslh[33956]: common.c:323:getpeername:9:Bad file descriptor
Aug 17 18:49:54 bigboyserver systemd[1]: sslh.service: Main process exited, code=exited, status=1/FAILURE
Aug 17 18:49:54 bigboyserver sslh[33956]: Inconsistent probing: cnx=abba7af0p
Aug 17 18:49:54 bigboyserver systemd[1]: sslh.service: Failed with result 'exit-code'.
Aug 17 18:49:54 bigboyserver sslh[33956]: Inconsistent probing: state=-1413842192

This is my sslh.cfg:

timeout: 5;
user: "sslh";
pidfile: "/var/run/sslh.pid";
foreground: true;
verbose: 3;
inetd: false;

#verbose-config: 7; #  print configuration at startup
#verbose-config-error: 7;  # print configuration errors
#verbose-connections: 7; # trace established incoming address to forward address
#verbose-connections-error: 7; # connection errors
#verbose-connections-try: 0; # connection attempts towards targets
#verbose-fd: 0; # file descriptor activity, open/close/whatnot
#verbose-packets: 0; # hexdump packets on which probing is done
#verbose-probe-info: 7; # what's happening during the probe process
#verbose-probe-error: 7; # failures and problems during probing
#verbose-system-error: 7; # system call problem, i.e.  malloc, fork, failing
#verbose-int-error: 7; # internal errors, the kind that should never happen

logfile: "/config/sslh.log";

listen:
(
    { host: "0.0.0.0"; port: "443"; },
    { host: "0.0.0.0"; is_udp: true; port: "443"; }
);

protocols:
(
     { name: "ssh"; service: "ssh"; host: "localhost"; keepalive: true; port: "22"; fork: true; },
     { name: "tls"; host: "localhost"; port: "441"; },
     { name: "openvpn"; host: "0.0.0.0"; is_udp: true; port: "1194"; },
     { name: "anyprot"; host: "localhost"; port: "400"; },
     { name: "timeout"; host: "localhost"; port: "441"; }
);

on-timeout: "timeout";

I've scanned through all the documentation and perused through a few issues but I can't seem to fix the error. I think it might have something to do with libwrap as I saw that getpeername is part of that. If I use sslh-fork then there's no problems at all but I need to use sslh-select so that I can "listen" on UDP for openvpn.

commented

It looks more likely to be the getpeername() in common.c:connect_addr().
I suppose it could happen if the connection has been lost between the accept() and this call, which could happen on a server with a lot of load or lots of connections.
Two things bother me though:

  • it should just drop that connection and keep on working. The messages about "inconsistent probing" suggest memory corruption or some error in the logic of the program.
  • I'm confused that the date between the call to getpeername() and the timed out message is the same, and that the timed out message comes after.

To move forward:

  • can you try it with sslh-ev? It has a somewhat different logic and also supports UDP
  • can you add all the verbose, and post more backtrace to we see what's happening earlier?
commented

Thanks for the advice, sslh-ev worked, do you still want the logs?

commented

if you don't mind, yes, I'd like to investigate if there is something nefarious in sslh-select...