Suppress noisy SSL exceptions (#61359)

If a TLS-protected connection closes unexpectedly then today we often emit a `WARN` log, typically one of the following: io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Insufficient buffer remaining for AEAD cipher fragment (2). Needs to be more than tag size (16) io.netty.handler.codec.DecoderException: javax.net.ssl.SSLException: Received close_notify during handshake We typically only report unexpectedly-closed connections at `DEBUG` level, but these two messages don't follow that rule and generate a lot of noise as a result. This commit adjusts the logging to report these two exceptions at `DEBUG` level only.
2020-08-27 10:59:20 +01:00 · 2020-08-27 10:59:20 +01:00 · f6055dc9b2
parent b866aaf81c
commit f6055dc9b2
3 changed files with 20 additions and 0 deletions
--- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/transport/SSLExceptionHelper.java
+++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/transport/SSLExceptionHelper.java
@ -8,8 +8,10 @@ package org.elasticsearch.xpack.core.security.transport;

 import io.netty.handler.codec.DecoderException;
 import io.netty.handler.ssl.NotSslRecordException;
+import org.elasticsearch.common.regex.Regex;

 import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLHandshakeException;

 public class SSLExceptionHelper {

@ -22,6 +24,11 @@ public class SSLExceptionHelper {
    }

    public static boolean isCloseDuringHandshakeException(Throwable e) {
+        return isCloseDuringHandshakeSSLException(e)
+                || isCloseDuringHandshakeSSLException(e.getCause());
+    }
+
+    private static boolean isCloseDuringHandshakeSSLException(Throwable e) {
        return e instanceof SSLException
                && e.getCause() == null
                && "Received close_notify during handshake".equals(e.getMessage());
@ -32,4 +39,10 @@ public class SSLExceptionHelper {
                && e.getCause() instanceof SSLException
                && "Received fatal alert: certificate_unknown".equals(e.getCause().getMessage());
    }
+
+    public static boolean isInsufficientBufferRemainingException(Throwable e) {
+        return e instanceof DecoderException
+                && e.getCause() instanceof SSLHandshakeException
+                && Regex.simpleMatch("Insufficient buffer remaining for AEAD cipher fragment*", e.getCause().getMessage());
+    }
 }
--- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/transport/SecurityTransportExceptionHandler.java
+++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/transport/SecurityTransportExceptionHandler.java
@ -34,6 +34,9 @@ public final class SecurityTransportExceptionHandler implements BiConsumer<TcpCh
        } else if (SSLExceptionHelper.isCloseDuringHandshakeException(e)) {
            logger.debug("connection {} closed during handshake", channel);
            CloseableChannel.closeChannel(channel);
+        } else if (SSLExceptionHelper.isInsufficientBufferRemainingException(e)) {
+            logger.debug("connection {} closed abruptly", channel);
+            CloseableChannel.closeChannel(channel);
        } else if (SSLExceptionHelper.isReceivedCertificateUnknownException(e)) {
            logger.warn("client did not trust this server's certificate, closing connection {}", channel);
            CloseableChannel.closeChannel(channel);
--- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/SecurityHttpExceptionHandler.java
+++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/SecurityHttpExceptionHandler.java
@ -13,6 +13,7 @@ import org.elasticsearch.http.HttpChannel;
 import java.util.function.BiConsumer;

 import static org.elasticsearch.xpack.core.security.transport.SSLExceptionHelper.isCloseDuringHandshakeException;
+import static org.elasticsearch.xpack.core.security.transport.SSLExceptionHelper.isInsufficientBufferRemainingException;
 import static org.elasticsearch.xpack.core.security.transport.SSLExceptionHelper.isNotSslRecordException;
 import static org.elasticsearch.xpack.core.security.transport.SSLExceptionHelper.isReceivedCertificateUnknownException;

@ -39,6 +40,9 @@ public final class SecurityHttpExceptionHandler implements BiConsumer<HttpChanne
        } else if (isCloseDuringHandshakeException(e)) {
            logger.debug("connection {} closed during ssl handshake", channel);
            CloseableChannel.closeChannel(channel);
+        } else if (isInsufficientBufferRemainingException(e)) {
+            logger.debug("connection {} closed abruptly", channel);
+            CloseableChannel.closeChannel(channel);
        } else if (isReceivedCertificateUnknownException(e)) {
            logger.warn("http client did not trust this server's certificate, closing connection {}", channel);
            CloseableChannel.closeChannel(channel);