Loading...
Loading...
Fixed in DD OS version 6.1.1.1 DD Boost protocol connection failures may be observed when using two-way-password authentication and multiple connections in parallel in DD OS version 6.1 and DDVE version 3.1. The issue is not observed before DD OS 6.1 since the new DD Boost two-way-password authentication method was introduced in DD OS version 6.1 and DDVE 3.1 as a way to prevent Man-in-the-middle (MITM) vulnerabilities.
The issue was due to a race condition in the way SSL Keys are being used. Keys were overstepping each other. The client side ddboost stress_logs shows the following symptoms. The example below shows evidence of a problem with the TLS-PSK SSL handshake. Issue is confirmed by receiving a NULL PSK identity hint. 11:08:31 INFO: [70F8:7F8438004CB0] NULL received PSK identity hint, continuing anyway 11:08:31 WARN: [70F8:7F8438004CB0] dd_async_clnttcp_enable_ssl: SSL_connect for socket 4 failed: 1 [error:00000001:lib(0):func(0):reason(1)], errno: 0 11:08:31 WARN: [70F8:7F8438004CB0] ssl error: error:1409445B:SSL routines:ssl3_read_bytes:reason(1115) 0 11:08:31 ERR : [70F8:7F8438004CB0] ssl_enable_fail 2, error:SSL_connect returned 111:08:31 ERR : [70F8:7F8438004CB0] ddcl_disconnect in ddcl_ost_set_ssl_psk. 11:08:31 INFO: [70F8:7F8438004CB0] clnt_async_destroy: RPC_CANTRECV will fail all the pending jobs and close socket 11:08:31 DBG : [70F8:7F8438004CB0] ddcl_vrapid_get_host_saddr: host_name 127.0.0.1 has host_ip 10.25.181.97 and NFS port 2049 found 11:08:31 INFO: [70F8:7F8438004CB0] NFS connect on host ip=127.0.0.1 11:08:31 DBG : [70F8:7F8438004CB0] clnt_async_tcp_connect: attempting to connect() on port =2049 ip=10.25.181.97 11:08:31 INFO: [70F8:7F8438004CB0] 127.0.0.1 is an IP string, can't look for failover 11:08:31 INFO: [70F8:7F8438004CB0] ddcl_nfs_ost_mount_and_auth_secure(): Decryption of mnt_sec_response using PSK is successful 11:08:31 INFO: [70F8:7F8438004CB0] ddcl_ost_generate_psk_key(): DDR localhost authenticated successfully using PSK 11:08:31 INFO: [70F8:7F8438004CB0] number of sslquery 5 11:08:31 INFO: [70F8:7F8438004CB0] number of ssl_query_success = 5 11:08:31 INFO: [70F8:7F8438004CB0] DDBoost OST_SSL_QUERY success with auth_mode:4, recover:0 11:08:31 INFO: [70F8:7F8438004CB0] ssl_enable_proc_count=5, cert_verify_flag=0 11:08:31 INFO: [70F8:7F8438004CB0] dd_async_clnttcp_enable_ssl fd: 4 11:08:31 INFO: [70F8:7F8438004CB0] NULL received PSK identity hint, continuing anyway 11:08:31 WARN: [70F8:7F8438004CB0] dd_async_clnttcp_enable_ssl: SSL_connect for socket 4 failed: 1 [error:00000001:lib(0):func(0):reason(1)], errno: 0 11:08:31 WARN: [70F8:7F8438004CB0] ssl error: error:1409445B:SSL routines:ssl3_read_bytes:reason(1115) 0 11:08:31 ERR : [70F8:7F8438004CB0] ssl_enable_fail 5, error:SSL_connect returned 1 11:08:31 ERR : [70F8:7F8438004CB0] ddcl_disconnect in ddcl_ost_set_ssl_psk. 11:08:31 INFO: [70F8:7F8438004CB0] clnt_async_destroy: RPC_CANTRECV will fail all the pending jobs and close socket 11:08:31 ERR : [70F8:7F8438004CB0] ddpi_connect_with_user_pwd() failed, Hostname: 127.0.0.1, Err: 5341-SSL_connect returned 1
Workaround: Turn off two-way password authentication in the DD Boost protocol. Perform the following steps to turn off the DD Boost two-way-password authentication global settings. Note: The global security settings take precedence over the client specific settings as shown in the example below. After the global variable is reset, the client settings do not require modification. Check the current options. sysadmin@ddve200# ddboost option show Option Value ------------------------------ ---------------- distributed-segment-processing enabled virtual-synthetics enabled fc disabled global-authentication-mode two-way-password global-encryption-strength medium ------------------------------ ---------------- Reset the global authentication mode. sysadmin@ddve200# ddboost option reset global-authentication-mode ** Resetting this option also resets the "global-encryption-strength" option. DD Boost options "global-authentication-mode" and "global-encryption-strength" reset to default. Reset the global encryption strength "two-way-password" authentication was previously set. sysadmin@ddve200# ddboost option reset global-encryption-strength ** Resetting this option also resets the "global-authentication-mode" option. DD Boost options "global-authentication-mode" and "global-encryption-strength" reset to default. Validate the changes. sysadmin@ddve200# ddboost option show Option Value ------------------------------ -------- distributed-segment-processing enabled virtual-synthetics enabled fc disabled global-authentication-mode none global-encryption-strength none ------------------------------ -------- Note: The global security settings take precedence over the client specific settings as shown in the example below. After the global variable is reset, the client settings do not require modification. sysadmin@ddve200# ddboost clients show config Client Encryption Strength Authentication Mode ------------- ------------------- ------------------- test.test.com medium two-way-password ------------- ------------------- ------------------- (**) The global security settings take precedence over these client(s) specific settings.
Click on a version to see all relevant bugs
Dell Integration
Learn more about where this data comes from
BugZero Plan
Streamline upgrades with automated vendor bug scrubs
BugZero Prevent
Wish you caught this bug sooner? Get proactive today.