This article applies to BoKS Manager 7.0.

Description

When a kslog remote logging session fails due to an SSL problem, the session is disconnected and restarted again. But once an SSL error has been encountered, the session is repeatedly disconnected causing lots of unfinished kslog log files to be created and also lots of error messages to be logged in boks_errlog.

The problem is in a flawed error API design in OpenSSL. After each SSL I/O operation in the keystroke remote logging code, SSL_get_error() is called to check if an error occured. The problem is that OpenSSL keeps a per thread error stack, which is not cleared when SSL_get_error() is called. If an SSL error is triggered in a thread processing data, that error is not cleared. The next time that thread processes data, the call to SSL_get_error() will again return the old error, making the code think an error has occurred again even though it has not. There is a special ERR_clear_error() OpenSSL function call that is missing in the BoKS code which will clear the error stack. The same problem exists for the kslog file transfer server and client.


Resolution / Workaround

To resolve this issue, apply hotfix HFBM-0190, available for download from the HelpSystems Community Portal.

In this hotfix the following binaries have been updated to clear the error stack prior to any SSL I/O calls:

  • boks_ksllogsd - the kslog log server daemon.
  • kslog - the kslog client program.
  • boks_ftsd - the file transfer server daemon.
  • boks_ftcd - the file transfer client daemon.

Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: May 25, 2018