[SSL/TLS] reduce logging when non https traffic is received on ssl channel

This removes the logging of an exception at the default log level when a incoming request in
the http transport is unencrypted and the http transport expects traffic to be encrypted.

Closes elastic/elasticsearch#561

Original commit: elastic/x-pack-elasticsearch@0cf23e8e9d

src/main/java/org/elasticsearch/http/netty/VisibleNettyHttpServerTransport.java

@@ -0,0 +1,31 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.http.netty;
+
+import org.elasticsearch.common.netty.channel.ChannelHandlerContext;
+import org.elasticsearch.common.netty.channel.ExceptionEvent;
+import org.elasticsearch.common.network.NetworkService;
+import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.common.util.BigArrays;
+
+/**
+ * Makes the exceptionCaught method of {@link org.elasticsearch.http.netty.NettyHttpServerTransport} visible
+ * to overriding classes.
+ *
+ * TODO: Fix core to make methods protected instead of package private and remove this class
+ */
+public class VisibleNettyHttpServerTransport extends NettyHttpServerTransport {
+
+    public VisibleNettyHttpServerTransport(Settings settings, NetworkService networkService, BigArrays bigArrays) {
+        super(settings, networkService, bigArrays);
+    }
+
+    @Override
+    protected void exceptionCaught(ChannelHandlerContext ctx, ExceptionEvent e) throws Exception {
+        super.exceptionCaught(ctx, e);
+    }
+
+}

src/main/java/org/elasticsearch/shield/transport/netty/ShieldNettyHttpServerTransport.java

@@ -6,13 +6,17 @@
 package org.elasticsearch.shield.transport.netty;
 
 import org.elasticsearch.common.inject.Inject;
+import org.elasticsearch.common.netty.channel.ChannelHandlerContext;
 import org.elasticsearch.common.netty.channel.ChannelPipeline;
 import org.elasticsearch.common.netty.channel.ChannelPipelineFactory;
+import org.elasticsearch.common.netty.channel.ExceptionEvent;
+import org.elasticsearch.common.netty.handler.ssl.NotSslRecordException;
 import org.elasticsearch.common.netty.handler.ssl.SslHandler;
 import org.elasticsearch.common.network.NetworkService;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.BigArrays;
 import org.elasticsearch.http.netty.NettyHttpServerTransport;
+import org.elasticsearch.http.netty.VisibleNettyHttpServerTransport;
 import org.elasticsearch.shield.ssl.ServerSSLService;
 import org.elasticsearch.shield.transport.filter.IPFilter;
 
@@ -21,7 +25,7 @@ import javax.net.ssl.SSLEngine;
 /**
  *
  */
-public class ShieldNettyHttpServerTransport extends NettyHttpServerTransport {
+public class ShieldNettyHttpServerTransport extends VisibleNettyHttpServerTransport {
 
     private final IPFilter ipFilter;
     private final ServerSSLService sslService;
@@ -36,6 +40,20 @@ public class ShieldNettyHttpServerTransport extends NettyHttpServerTransport {
         this.sslService =  sslService;
     }
 
+    @Override
+    protected void exceptionCaught(ChannelHandlerContext ctx, ExceptionEvent e) throws Exception {
+        if (e.getCause() instanceof NotSslRecordException) {
+            if (logger.isTraceEnabled()) {
+                logger.trace("received plaintext http traffic on a https channel, closing connection {}", e.getCause(), ctx.getChannel());
+            } else {
+                logger.warn("received plaintext http traffic on a https channel, closing connection {}", ctx.getChannel());
+            }
+            ctx.getChannel().close();
+        } else {
+            super.exceptionCaught(ctx, e);
+        }
+    }
+
     @Override
     public ChannelPipelineFactory configureServerChannelPipelineFactory() {
         return new HttpSslChannelPipelineFactory(this);