Skip to content

OTLP exporter assumes it must use SSL because GetOtlpDefaultIsSslEnable() is returning a wrong value #2058

New issue
New issue
Closed
#2060
Closed
OTLP exporter assumes it must use SSL because GetOtlpDefaultIsSslEnable() is returning a wrong value#2058
#2060
Assignees
marcalff
Labels
bugSomething isn't working
@MrSparc

Description

@MrSparc
MrSparc
opened on Mar 15, 2023

Describe your environment

  • opentelemetry-cpp v1.8.3
  • OTLP gRPC
  • No SSL
  • No OTLP env vars, just default settings

Steps to reproduce
I'm facing an issue with SSL after upgrade from v1.8.2 to v1.8.3 with my gRPC telemetry.
The error is:

E0315 15:58:51.193959723  145649 ssl_transport_security.cc:1501] Handshake failed with fatal error SSL_ERROR_SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number.

So debugging and comparing the behavior of both versions, I noticed that in v1.8.2 OtlpGrpcExporterOptions constructor is setting as default use_ssl_credentials: false but in the new v1.8.3 this default constructor is setting to use_ssl_credentials: true

This looks like a behaviour change introduced by this refactoring handling Boolean environment variables #1982

Digging into the code to look the initialization of use_ssl_credentials in the constructor:

opentelemetry-cpp/exporters/otlp/include/opentelemetry/exporters/otlp/otlp_grpc_exporter_options.h

Lines 19 to 25 in 15ab9ed

struct OtlpGrpcExporterOptions
{
// The endpoint to export to. By default the OpenTelemetry Collector's default endpoint.
std::string endpoint = GetOtlpDefaultGrpcEndpoint();
// By default when false, uses grpc::InsecureChannelCredentials(); If true,
// uses ssl_credentials_cacert_path if non-empty, else uses ssl_credentials_cacert_as_string
bool use_ssl_credentials = GetOtlpDefaultIsSslEnable();

This method GetOtlpDefaultIsSslEnable() to initialize use_ssl_credentials is based on GetOtlpDefaultTracesIsInsecure():

opentelemetry-cpp/exporters/otlp/include/opentelemetry/exporters/otlp/otlp_environment.h

Lines 60 to 64 in 15ab9ed

// Compatibility with OTELCPP 1.8.2
inline bool GetOtlpDefaultIsSslEnable()
{
return (!GetOtlpDefaultTracesIsInsecure());
}

The issue is in the default return value of the following methods:

All these methods are returning by default false if no env vars are defined.
So a false return means, IS NOT insecure, then IS secure 🤯

I don't know the gRPC transpost must be by default secure or insecure, but if the default is secure then this behaviour was enforced in this version.

According to the specification:
Insecure: Whether to enable client transport security for the exporter's gRPC connection. This option only applies to OTLP/gRPC when an endpoint is provided without the http or https scheme

So, if the gRPC endpoint scheme returns 'http' or 'https' as the following default, I think this value should overrided:

opentelemetry-cpp/exporters/otlp/src/otlp_environment.cc

Lines 78 to 82 in 15ab9ed

std::string GetOtlpDefaultGrpcTracesEndpoint()
{
constexpr char kSignalEnv[] = "OTEL_EXPORTER_OTLP_TRACES_ENDPOINT";
constexpr char kGenericEnv[] = "OTEL_EXPORTER_OTLP_ENDPOINT";
constexpr char kDefault[] = "http://localhost:4317";

What is the expected behavior?
Upgrade from v1.8.2 to v1.8.3 without issues.

What is the actual behavior?
Upgrade to v1.8.3 wrongly assumes that gRPC connection are using SSL and fails because no certificates are defined.

Additional context
As workaround I need to set the env var OTEL_EXPORTER_OTLP_INSECURE=true in order to do not use SSL

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions