From f6055dc9b2df8be5765690e6fa7418a98c905f17 Mon Sep 17 00:00:00 2001
From: David Turner <david.turner@elastic.co>
Date: Thu, 27 Aug 2020 10:59:20 +0100
Subject: [PATCH] Suppress noisy SSL exceptions (#61359)

If a TLS-protected connection closes unexpectedly then today we often
emit a `WARN` log, typically one of the following:

    io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Insufficient buffer remaining for AEAD cipher fragment (2). Needs to be more than tag size (16)

    io.netty.handler.codec.DecoderException: javax.net.ssl.SSLException: Received close_notify during handshake

We typically only report unexpectedly-closed connections at `DEBUG`
level, but these two messages don't follow that rule and generate a lot
of noise as a result. This commit adjusts the logging to report these
two exceptions at `DEBUG` level only.
---
 .../core/security/transport/SSLExceptionHelper.java | 13 +++++++++++++
 .../SecurityTransportExceptionHandler.java          |  3 +++
 .../transport/SecurityHttpExceptionHandler.java     |  4 ++++
 3 files changed, 20 insertions(+)

diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/transport/SSLExceptionHelper.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/transport/SSLExceptionHelper.java
index c954671cc96..d1d4bc330fd 100644
--- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/transport/SSLExceptionHelper.java
+++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/transport/SSLExceptionHelper.java
@@ -8,8 +8,10 @@ package org.elasticsearch.xpack.core.security.transport;
 
 import io.netty.handler.codec.DecoderException;
 import io.netty.handler.ssl.NotSslRecordException;
+import org.elasticsearch.common.regex.Regex;
 
 import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLHandshakeException;
 
 public class SSLExceptionHelper {
 
@@ -22,6 +24,11 @@ public class SSLExceptionHelper {
     }
 
     public static boolean isCloseDuringHandshakeException(Throwable e) {
+        return isCloseDuringHandshakeSSLException(e)
+                || isCloseDuringHandshakeSSLException(e.getCause());
+    }
+
+    private static boolean isCloseDuringHandshakeSSLException(Throwable e) {
         return e instanceof SSLException
                 && e.getCause() == null
                 && "Received close_notify during handshake".equals(e.getMessage());
@@ -32,4 +39,10 @@ public class SSLExceptionHelper {
                 && e.getCause() instanceof SSLException
                 && "Received fatal alert: certificate_unknown".equals(e.getCause().getMessage());
     }
+
+    public static boolean isInsufficientBufferRemainingException(Throwable e) {
+        return e instanceof DecoderException
+                && e.getCause() instanceof SSLHandshakeException
+                && Regex.simpleMatch("Insufficient buffer remaining for AEAD cipher fragment*", e.getCause().getMessage());
+    }
 }
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/transport/SecurityTransportExceptionHandler.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/transport/SecurityTransportExceptionHandler.java
index 44789e81ce9..fea3abedc32 100644
--- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/transport/SecurityTransportExceptionHandler.java
+++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/transport/SecurityTransportExceptionHandler.java
@@ -34,6 +34,9 @@ public final class SecurityTransportExceptionHandler implements BiConsumer<TcpCh
         } else if (SSLExceptionHelper.isCloseDuringHandshakeException(e)) {
             logger.debug("connection {} closed during handshake", channel);
             CloseableChannel.closeChannel(channel);
+        } else if (SSLExceptionHelper.isInsufficientBufferRemainingException(e)) {
+            logger.debug("connection {} closed abruptly", channel);
+            CloseableChannel.closeChannel(channel);
         } else if (SSLExceptionHelper.isReceivedCertificateUnknownException(e)) {
             logger.warn("client did not trust this server's certificate, closing connection {}", channel);
             CloseableChannel.closeChannel(channel);
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/SecurityHttpExceptionHandler.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/SecurityHttpExceptionHandler.java
index 761d9e1428d..aae0e3d8c4b 100644
--- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/SecurityHttpExceptionHandler.java
+++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/SecurityHttpExceptionHandler.java
@@ -13,6 +13,7 @@ import org.elasticsearch.http.HttpChannel;
 import java.util.function.BiConsumer;
 
 import static org.elasticsearch.xpack.core.security.transport.SSLExceptionHelper.isCloseDuringHandshakeException;
+import static org.elasticsearch.xpack.core.security.transport.SSLExceptionHelper.isInsufficientBufferRemainingException;
 import static org.elasticsearch.xpack.core.security.transport.SSLExceptionHelper.isNotSslRecordException;
 import static org.elasticsearch.xpack.core.security.transport.SSLExceptionHelper.isReceivedCertificateUnknownException;
 
@@ -39,6 +40,9 @@ public final class SecurityHttpExceptionHandler implements BiConsumer<HttpChanne
         } else if (isCloseDuringHandshakeException(e)) {
             logger.debug("connection {} closed during ssl handshake", channel);
             CloseableChannel.closeChannel(channel);
+        } else if (isInsufficientBufferRemainingException(e)) {
+            logger.debug("connection {} closed abruptly", channel);
+            CloseableChannel.closeChannel(channel);
         } else if (isReceivedCertificateUnknownException(e)) {
             logger.warn("http client did not trust this server's certificate, closing connection {}", channel);
             CloseableChannel.closeChannel(channel);