Netty: reduce logging for a close request during handshake

Reduces the amount of logging on both HTTP and Transport protocols for a channel being closed while in the middle of a handshake. This often occurs when the client does not trust the server certificate and aborts the handshake. Also, reduces logging on the Transport protocol for a plain text message received on a channel that is using TLS. Closes elastic/elasticsearch#771 Original commit: elastic/x-pack-elasticsearch@321c384ddd
2015-04-07 13:06:58 -04:00 · 2015-04-07 13:06:58 -04:00 · b8f75a2bae
parent 6e660dbd7d
commit b8f75a2bae
3 changed files with 73 additions and 3 deletions
--- a/src/main/java/org/elasticsearch/shield/transport/SSLExceptionHelper.java
+++ b/src/main/java/org/elasticsearch/shield/transport/SSLExceptionHelper.java
@ -0,0 +1,26 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.shield.transport;
+
+import org.elasticsearch.common.netty.handler.ssl.NotSslRecordException;
+
+import javax.net.ssl.SSLException;
+
+public class SSLExceptionHelper {
+
+    private SSLExceptionHelper() {
+    }
+
+    public static boolean isNotSslRecordException(Throwable e) {
+        return e instanceof NotSslRecordException && e.getCause() == null;
+    }
+
+    public static boolean isCloseDuringHandshakeException(Throwable e) {
+        return e instanceof SSLException
+                && e.getCause() == null
+                && "Received close_notify during handshake".equals(e.getMessage());
+    }
+}
--- a/src/main/java/org/elasticsearch/shield/transport/netty/ShieldNettyHttpServerTransport.java
+++ b/src/main/java/org/elasticsearch/shield/transport/netty/ShieldNettyHttpServerTransport.java
@ -10,7 +10,6 @@ import org.elasticsearch.common.netty.channel.ChannelHandlerContext;
 import org.elasticsearch.common.netty.channel.ChannelPipeline;
 import org.elasticsearch.common.netty.channel.ChannelPipelineFactory;
 import org.elasticsearch.common.netty.channel.ExceptionEvent;
-import org.elasticsearch.common.netty.handler.ssl.NotSslRecordException;
 import org.elasticsearch.common.netty.handler.ssl.SslHandler;
 import org.elasticsearch.common.network.NetworkService;
 import org.elasticsearch.common.settings.Settings;
@ -21,6 +20,8 @@ import org.elasticsearch.shield.transport.filter.IPFilter;

 import javax.net.ssl.SSLEngine;

+import static org.elasticsearch.shield.transport.SSLExceptionHelper.*;
+
 /**
 *
 */
@ -46,13 +47,25 @@ public class ShieldNettyHttpServerTransport extends NettyHttpServerTransport {

    @Override
    protected void exceptionCaught(ChannelHandlerContext ctx, ExceptionEvent e) throws Exception {
-        if (e.getCause() instanceof NotSslRecordException) {
+        if (!lifecycle.started()) {
+            return;
+        }
+
+        Throwable t = e.getCause();
+        if (isNotSslRecordException(t)) {
            if (logger.isTraceEnabled()) {
-                logger.trace("received plaintext http traffic on a https channel, closing connection {}", e.getCause(), ctx.getChannel());
+                logger.trace("received plaintext http traffic on a https channel, closing connection {}", t, ctx.getChannel());
            } else {
                logger.warn("received plaintext http traffic on a https channel, closing connection {}", ctx.getChannel());
            }
            ctx.getChannel().close();
+        } else if (isCloseDuringHandshakeException(t)) {
+            if (logger.isTraceEnabled()) {
+                logger.trace("connection {} closed during handshake", t, ctx.getChannel());
+            } else {
+                logger.warn("connection {} closed during handshake", ctx.getChannel());
+            }
+            ctx.getChannel().close();
        } else {
            super.exceptionCaught(ctx, e);
        }
--- a/src/main/java/org/elasticsearch/shield/transport/netty/ShieldNettyTransport.java
+++ b/src/main/java/org/elasticsearch/shield/transport/netty/ShieldNettyTransport.java
@ -24,6 +24,9 @@ import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLParameters;
 import java.net.InetSocketAddress;

+import static org.elasticsearch.shield.transport.SSLExceptionHelper.isCloseDuringHandshakeException;
+import static org.elasticsearch.shield.transport.SSLExceptionHelper.isNotSslRecordException;
+
 /**
 *
 */
@ -66,6 +69,34 @@ public class ShieldNettyTransport extends NettyTransport {
        return new SslServerChannelPipelineFactory(this, name, settings, profileSettings);
    }

+    @Override
+    protected void exceptionCaught(ChannelHandlerContext ctx, ExceptionEvent e) throws Exception {
+        if (!lifecycle.started()) {
+            return;
+        }
+
+        Throwable t = e.getCause();
+        if (isNotSslRecordException(t)) {
+            if (logger.isTraceEnabled()) {
+                logger.trace("received plaintext traffic on a encrypted channel, closing connection {}", t, ctx.getChannel());
+            } else {
+                logger.warn("received plaintext traffic on a encrypted channel, closing connection {}", ctx.getChannel());
+            }
+            ctx.getChannel().close();
+            disconnectFromNodeChannel(ctx.getChannel(), e.getCause());
+        } else if (isCloseDuringHandshakeException(t)) {
+            if (logger.isTraceEnabled()) {
+                logger.trace("connection {} closed during handshake", t, ctx.getChannel());
+            } else {
+                logger.warn("connection {} closed during handshake", ctx.getChannel());
+            }
+            ctx.getChannel().close();
+            disconnectFromNodeChannel(ctx.getChannel(), e.getCause());
+        } else {
+            super.exceptionCaught(ctx, e);
+        }
+    }
+
    private class SslServerChannelPipelineFactory extends ServerChannelPipelineFactory {

        private final Settings profileSettings;