Suppress noisy SSL exceptions #61359
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
If a TLS-protected connection closes unexpectedly then today we often
emit a `WARN` log, typically one of the following:
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Insufficient buffer remaining for AEAD cipher fragment (2). Needs to be more than tag size (16)
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLException: Received close_notify during handshake
We typically only report unexpectedly-closed connections at `DEBUG`
level, but these two messages don't follow that rule and generate a lot
of noise as a result. This commit adjusts the logging to report these
two exceptions at `DEBUG` level only.
|
Pinging @elastic/es-security (:Security/Network) |
|
I could do with guidance on testing this change, I couldn't find a pre-existing test suite for this area, nor do I know how to trigger these exceptions synthetically. |
DaveCTurner
commented
Aug 20, 2020
| @@ -22,6 +24,11 @@ public static boolean isNotSslRecordException(Throwable e) { | |||
| } | |||
|
|
|||
| public static boolean isCloseDuringHandshakeException(Throwable e) { | |||
| return isCloseDuringHandshakeSSLException(e) | |||
| || isCloseDuringHandshakeSSLException(e.getCause()); | |||
There was a problem hiding this comment.
We were already checking for Received close_notify during handshake, just not within a DecoderException. Not sure whether this was a mistake or whether we do sometimes see this exception unwrapped too.
Also not sure what the implications for the nio transport since the DecoderException wrapper is Netty-specific.
|
Thanks Tim! |
DaveCTurner
added a commit
that referenced
this pull request
Aug 27, 2020
If a TLS-protected connection closes unexpectedly then today we often
emit a `WARN` log, typically one of the following:
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Insufficient buffer remaining for AEAD cipher fragment (2). Needs to be more than tag size (16)
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLException: Received close_notify during handshake
We typically only report unexpectedly-closed connections at `DEBUG`
level, but these two messages don't follow that rule and generate a lot
of noise as a result. This commit adjusts the logging to report these
two exceptions at `DEBUG` level only.
61 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
If a TLS-protected connection closes unexpectedly then today we often
emit a
WARNlog, typically one of the following:We typically only report unexpectedly-closed connections at
DEBUGlevel, but these two messages don't follow that rule and generate a lot
of noise as a result. This commit adjusts the logging to report these
two exceptions at
DEBUGlevel only.