Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CORE-8754] Handle new TLS error codes #24749

Merged
merged 2 commits into from
Jan 9, 2025
Merged

[CORE-8754] Handle new TLS error codes #24749

merged 2 commits into from
Jan 9, 2025

Conversation

michael-redpanda
Copy link
Contributor

@michael-redpanda michael-redpanda commented Jan 9, 2025
edited
Loading

Implement changes in Redpanda to handle new TLS error codes added by redpanda-data/seastar#166.

These error codes provide more specificity about why connections failed to establish TLS connections.

When a non TLS connection attempts to connect and send data to a Redpanda
TLS enabled endpoint, OpenSSL may report different error codes depending on
what it sees on the incoming packet:

  • ERROR_WRONG_VERSION_NUMBER - reported when OpenSSL inspects the packet expecting to see a known TLS version but the one it sees is unknown. This is distinct to seeing an unsupported version.
  • ERROR_HTTP_REQUEST - similar to ERROR_WRONG_VERSION_NUMBER, however in this situation, the packet starts with a known HTTP verb (e.g. GET, or POST, etc).
  • ERROR_HTTPS_PROXY_REQUEST - like ERROR_HTTP_REQUEST, however the packet starts with CONNE

Backports Required

  • none - not a bug fix
  • none - this is a backport
  • none - issue does not exist in previous branches
  • none - papercut/not impactful enough to backport
  • v24.3.x
  • v24.2.x
  • v24.1.x

Release Notes

Improvements

  • Improved TLS connection related error messages

@michael-redpanda
bazel: Updated Seastar ref for new TLS error codes
ad6d50c 
Seastar now reports new error codes for certain TLS connection issues:

* `ERROR_WRONG_VERSION_NUMBER`
* `ERROR_HTTP_REQUEST`
* `ERROR_HTTPS_PROXY_REQUEST`

Signed-off-by: Michael Boquard <michael@redpanda.com>
@michael-redpanda
net: Updated TLS reconnect errors
0803e0d 
When a non TLS connection attempts to connect and send data to a Redpanda
TLS enabled endpoint, OpenSSL may report different error codes depending on
what it sees on the incoming packet:

* `ERROR_WRONG_VERSION_NUMBER` - reported when OpenSSL inspects the packet
  expecting to see a known TLS version but the one it sees is unknown.
  This is distinct to seeing an unsupported version.
* `ERROR_HTTP_REQUEST` - similar to `ERROR_WRONG_VERSION_NUMBER`, however in
  this situation, the packet starts with a known HTTP verb (e.g. `GET`, or
  `POST`, etc).
* `ERROR_HTTPS_PROXY_REQUEST` - like `ERROR_HTTP_REQUEST`, however the
  packet starts with `CONNE`

Signed-off-by: Michael Boquard <michael@redpanda.com>
@michael-redpanda michael-redpanda requested a review from a team January 9, 2025 18:20
@michael-redpanda michael-redpanda self-assigned this Jan 9, 2025
@michael-redpanda michael-redpanda requested review from IoannisRP and BenPope and removed request for a team January 9, 2025 18:20
@vbotbuildovich
Copy link
Collaborator

CI test results

test results on build#60527
test_id test_kind job_url test_status passed
rm_stm_tests_rpunit.rm_stm_tests_rpunit unit https://buildkite.com/redpanda/redpanda/builds/60527#01944c4e-2f66-464f-8e00-6b71358e6297 FLAKY 1/2
rptest.tests.partition_reassignments_test.PartitionReassignmentsTest.test_reassignments_kafka_cli ducktape https://buildkite.com/redpanda/redpanda/builds/60527#01944ca6-a8a6-418c-8027-b4fe017523d2 FLAKY 1/6

@michael-redpanda michael-redpanda merged commit 589701f into redpanda-data:dev Jan 9, 2025
19 checks passed
@vbotbuildovich
Copy link
Collaborator

/backport v24.3.x

@vbotbuildovich
Copy link
Collaborator

/backport v24.2.x

@vbotbuildovich
Copy link
Collaborator

Failed to create a backport PR to v24.3.x branch. I tried:

git remote add upstream https://github.com/redpanda-data/redpanda.git
git fetch --all
git checkout -b backport-pr-24749-v24.3.x-598 remotes/upstream/v24.3.x
git cherry-pick -x ad6d50c0bd 0803e0d920

Workflow run logs.

@vbotbuildovich vbotbuildovich mentioned this pull request Jan 9, 2025
Closed
@vbotbuildovich
Copy link
Collaborator

Failed to create a backport PR to v24.2.x branch. I tried:

git remote add upstream https://github.com/redpanda-data/redpanda.git
git fetch --all
git checkout -b backport-pr-24749-v24.2.x-473 remotes/upstream/v24.2.x
git cherry-pick -x ad6d50c0bd 0803e0d920

Workflow run logs.

@vbotbuildovich vbotbuildovich mentioned this pull request Jan 9, 2025
Closed
This was referenced Jan 10, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dotnwat dotnwat dotnwat approved these changes

@IoannisRP IoannisRP Awaiting requested review from IoannisRP IoannisRP was automatically assigned from redpanda-data/core-enterprise

@BenPope BenPope Awaiting requested review from BenPope

@pgellert pgellert Awaiting requested review from pgellert

Assignees

@michael-redpanda michael-redpanda

Labels
area/build area/redpanda
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@michael-redpanda @vbotbuildovich @dotnwat