How to reduce 'ssl handshake failed' logging
Brian Stevenson
brianstevenson at gmail.com
Fri Nov 1 20:34:11 UTC 2024
We have Unbound (1.20.0, 1.22.0) setup behind an AWS Global Accelerator
with Unbound configured for DNS over TLS. An AWS Global Accelerator or NLB
does health checks over TCP or HTTPS and doesn't complete an SSL handshake
which leads to Unbound logging the below output for every check. Since this
is a mesh over Global Accelerators, this leads to excessive logging for
`verbosity: 1`.
```
[1730485388] unbound[1:2] error: ssl handshake failed: channel closed
[1730485388] unbound[1:2] notice: ssl handshake failed <source address>
port <source port>
```
This can be also be reproduced with netcat to any Unbound server running
TLS on 443 or 853, etc
Client:
```
nc -v -z -t localhost 443
Connection to localhost port 443 [tcp/https] succeeded!
```
Server
```
[1730485388] unbound[1:2] error: ssl handshake failed: channel closed
[1730485388] unbound[1:2] notice: ssl handshake failed 127.0.0.1 port 59712
```
This logs at `verbosity: 1`. Is there any way to not log ` ssl handshake
failed` messages or only log at a higher verbosity? Or is there anything I
might have misconfigured? I could see a simple port scan causing this issue
as well.
We're upgrading from `1.13.2` and did observe these messages in `1.13.2`.
In the meantime I'll work on a separate health check option, but I wanted
to bring this up as it'd be nice to health check the port the service is
running on.
Thanks,
Brian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20241101/bdea9856/attachment.htm>
More information about the Unbound-users
mailing list