-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ArgumentOutOfRangeException at System.Net.Security.SslStream.ProcessBlob #62109
Comments
Tagging subscribers to this area: @dotnet/ncl, @vcsjones Issue DetailsDescriptionI'm getting recurring but non consistent exceptions in couple of my environments running the same code under the Docker image This only happened in environments where I have an SSL certificate provisioned by Reproduction Stepsnot consistent Expected behaviorNo errors on Kestrel level Actual behaviorMicrosoft.AspNetCore.Server.Kestrel: Unhandled exception while processing 0HMDG00D520FK.
System.ArgumentOutOfRangeException: Specified argument was out of the range of valid values.
at System.Net.Security.SslStream.ProcessBlob(Int32 frameSize)
at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](TIOAdapter adapter)
at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.OnConnectionAsync(ConnectionContext context)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure.KestrelConnection`1.ExecuteAsync() Regression?Did not observe this in dotnet 5 or core 3.1 that I run beforehand Known WorkaroundsNo response ConfigurationDotnet Other informationNo response
|
Can you get packet captures @liiri and step in with debugger to get value of |
I will try to get more information, would have if it was simple. This never occurred in an environment where a debugger is handy to attach to. Can you offer any workaround to catch this exception or retry the blob receive? |
This is inbound connection, right? Any idea if this happens with particular client? One more thought: |
This is inbound connection, from browser, most likely Chrome |
@liiri did you get chance to try it out? |
This comment has been minimized.
This comment has been minimized.
I've set up the dump to catch this exception, waiting for it to reproduce |
This comment has been minimized.
This comment has been minimized.
I managed to reproduce the issue, and did set the dump configuration as advised, but no dump was generated. Reading around questions like https://stackoverflow.com/questions/1134048/generating-net-crash-dumps-automatically , it seems to me that it might not be as trivial to create a minidump when running in docker, as there is no "other" process that can create the minidump for us. |
@liiri it seems to be specific to Docker environment. We are not deeply familiar with it and the problems don't seem to be specific to .NET. Perhaps you can find some help on Docker or general (StackOverflow) forums? Based on quick search, these articles might be useful: |
Thanks, I'll look into it, but I don't think I'll be able to provide the mini dump anytime soon. |
Can you try something like this @liiri ? using System;
using System.Runtime.ExceptionServices;
using Microsoft.Diagnostics.NETCore.Client;
namespace dump
{
class Program
{
public static void WriteDump(object source, FirstChanceExceptionEventArgs e)
{
if (e.Exception is ArgumentOutOfRangeException)
{
int pid = Environment.ProcessId;
var client = new DiagnosticsClient(pid);
//client.WriteDump(DumpType.Normal, "/tmp/minidump.dmp");
client.WriteDump(DumpType.Full, $"/tmp/dump.dmp.{pid}");
}
}
static void Main(string[] args)
{
AppDomain.CurrentDomain.FirstChanceException += WriteDump;
Console.WriteLine("Hello, World!");
try
{
throw new ArgumentOutOfRangeException("BOO");
}
catch {};
Console.WriteLine("All done");
}
}
} You will need to add reference to The dump will be large and it will contain your private keys (and perhaps other sensitive data). I would still probably start with Full dump and fall-back to Normal if that gives you grief You can either send me private email with location or I can walk you through the dump to get some insight. |
Thanks, this seemed to have worked, forwarding dumps link by email |
It seems the requests were made using Ssl2, which shouldn't be allowed. This may be related to https://docs.microsoft.com/en-us/dotnet/core/compatibility/aspnet-core/5.0/kestrel-default-supported-tls-protocol-versions-changed |
That part will probably not matter. As far as I can tell, this happens before the platform code even executes. The bytes sequence does not seems to be valid TLS frame. It is either some fuzzer/garbage or Kestrel somehow mangles the data (cc: @Tratcher in case there is some known issue) Either one should not matter - we should not get runtime/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.Implementation.cs Lines 473 to 479 in 67b110e
Given sequence of input bytes gives The interesting one is the We should read rest of the frame or fail but we don't seem to runtime/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.Implementation.cs Lines 494 to 497 in 67b110e
and then runtime/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.Implementation.cs Lines 560 to 567 in 67b110e
This updates the runtime/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.Implementation.cs Line 594 in 67b110e
For some reason Is there any functional impact besides annoyance @liiri? |
There is no functional impact, but we do get an unhandled exception which is alarming our system. Any way to catch this exception in some middleware or other callback? I would still note that these fuzzy requests were only recorded in environments where our ASP server is exposed without any intermediate load balancer or gateway. In SaaS installations where we use a Kubernetes Ingress, we never encountered these errors. |
@Tratcher would probably be best person to answer the question about the middleware. |
The issue of handling this or the more accurate exception is still relevant, would you rather I open a new issue? |
@liiri handling the exception would be an issue for the AspNetCore/Kestrel layer. You should be able to test the change in a few days using the build from https://github.com/dotnet/installer#installers-and-binaries. Once you see the new error you can ask over at https://github.com/dotnet/aspnetcore if you're still having trouble handling it. |
Do I understand it correctly that the difference of the fix is just which exception is thrown? (IOException vs. ArgumentOutOfRangeException) |
Description
I'm getting recurring but non consistent exceptions in couple of my environments running the same code under the Docker image
mcr.microsoft.com/dotnet/aspnet:6.0-bullseye-slim
This only happened in environments where I have an SSL certificate provisioned by
certbot
, but I don't know if its related. Certificate is signed and up to date.Reproduction Steps
not consistent
Expected behavior
No errors on Kestrel level
Actual behavior
Regression?
Did not observe this in dotnet 5 or core 3.1 that I run beforehand
Known Workarounds
No response
Configuration
Dotnet
6.0.100
OS is
Ubuntu 18.0.4
x86_64 , running Docker image
mcr.microsoft.com/dotnet/aspnet:6.0-bullseye-slim`Other information
No response
The text was updated successfully, but these errors were encountered: