From 52a2dd4acf510fe6ef4c3e981361a2decc06641f Mon Sep 17 00:00:00 2001
From: jaymode <jay.modi@elasticsearch.com>
Date: Tue, 10 Feb 2015 11:10:28 -0500
Subject: [PATCH] [SSL/TLS] reduce logging when non https traffic is received
 on ssl channel

This removes the logging of an exception at the default log level when a incoming request in
the http transport is unencrypted and the http transport expects traffic to be encrypted.

Closes elastic/elasticsearch#561

Original commit: elastic/x-pack-elasticsearch@0cf23e8e9dc02ff8cbcd7d7614ea188d17a0772f
---
 .../VisibleNettyHttpServerTransport.java      | 31 +++++++++++++++++++
 .../netty/ShieldNettyHttpServerTransport.java | 20 +++++++++++-
 2 files changed, 50 insertions(+), 1 deletion(-)
 create mode 100644 src/main/java/org/elasticsearch/http/netty/VisibleNettyHttpServerTransport.java

diff --git a/src/main/java/org/elasticsearch/http/netty/VisibleNettyHttpServerTransport.java b/src/main/java/org/elasticsearch/http/netty/VisibleNettyHttpServerTransport.java
new file mode 100644
index 00000000000..f8424ede6fe
--- /dev/null
+++ b/src/main/java/org/elasticsearch/http/netty/VisibleNettyHttpServerTransport.java
@@ -0,0 +1,31 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.http.netty;
+
+import org.elasticsearch.common.netty.channel.ChannelHandlerContext;
+import org.elasticsearch.common.netty.channel.ExceptionEvent;
+import org.elasticsearch.common.network.NetworkService;
+import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.common.util.BigArrays;
+
+/**
+ * Makes the exceptionCaught method of {@link org.elasticsearch.http.netty.NettyHttpServerTransport} visible
+ * to overriding classes.
+ *
+ * TODO: Fix core to make methods protected instead of package private and remove this class
+ */
+public class VisibleNettyHttpServerTransport extends NettyHttpServerTransport {
+
+    public VisibleNettyHttpServerTransport(Settings settings, NetworkService networkService, BigArrays bigArrays) {
+        super(settings, networkService, bigArrays);
+    }
+
+    @Override
+    protected void exceptionCaught(ChannelHandlerContext ctx, ExceptionEvent e) throws Exception {
+        super.exceptionCaught(ctx, e);
+    }
+
+}
diff --git a/src/main/java/org/elasticsearch/shield/transport/netty/ShieldNettyHttpServerTransport.java b/src/main/java/org/elasticsearch/shield/transport/netty/ShieldNettyHttpServerTransport.java
index 7512982c6e9..fe2452f39cb 100644
--- a/src/main/java/org/elasticsearch/shield/transport/netty/ShieldNettyHttpServerTransport.java
+++ b/src/main/java/org/elasticsearch/shield/transport/netty/ShieldNettyHttpServerTransport.java
@@ -6,13 +6,17 @@
 package org.elasticsearch.shield.transport.netty;
 
 import org.elasticsearch.common.inject.Inject;
+import org.elasticsearch.common.netty.channel.ChannelHandlerContext;
 import org.elasticsearch.common.netty.channel.ChannelPipeline;
 import org.elasticsearch.common.netty.channel.ChannelPipelineFactory;
+import org.elasticsearch.common.netty.channel.ExceptionEvent;
+import org.elasticsearch.common.netty.handler.ssl.NotSslRecordException;
 import org.elasticsearch.common.netty.handler.ssl.SslHandler;
 import org.elasticsearch.common.network.NetworkService;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.BigArrays;
 import org.elasticsearch.http.netty.NettyHttpServerTransport;
+import org.elasticsearch.http.netty.VisibleNettyHttpServerTransport;
 import org.elasticsearch.shield.ssl.ServerSSLService;
 import org.elasticsearch.shield.transport.filter.IPFilter;
 
@@ -21,7 +25,7 @@ import javax.net.ssl.SSLEngine;
 /**
  *
  */
-public class ShieldNettyHttpServerTransport extends NettyHttpServerTransport {
+public class ShieldNettyHttpServerTransport extends VisibleNettyHttpServerTransport {
 
     private final IPFilter ipFilter;
     private final ServerSSLService sslService;
@@ -36,6 +40,20 @@ public class ShieldNettyHttpServerTransport extends NettyHttpServerTransport {
         this.sslService =  sslService;
     }
 
+    @Override
+    protected void exceptionCaught(ChannelHandlerContext ctx, ExceptionEvent e) throws Exception {
+        if (e.getCause() instanceof NotSslRecordException) {
+            if (logger.isTraceEnabled()) {
+                logger.trace("received plaintext http traffic on a https channel, closing connection {}", e.getCause(), ctx.getChannel());
+            } else {
+                logger.warn("received plaintext http traffic on a https channel, closing connection {}", ctx.getChannel());
+            }
+            ctx.getChannel().close();
+        } else {
+            super.exceptionCaught(ctx, e);
+        }
+    }
+
     @Override
     public ChannelPipelineFactory configureServerChannelPipelineFactory() {
         return new HttpSslChannelPipelineFactory(this);