Suppress noisy SSL exceptions (#61359)

If a TLS-protected connection closes unexpectedly then today we often emit a `WARN` log, typically one of the following: io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Insufficient buffer remaining for AEAD cipher fragment (2). Needs to be more than tag size (16) io.netty.handler.codec.DecoderException: javax.net.ssl.SSLException: Received close_notify during handshake We typically only report unexpectedly-closed connections at `DEBUG` level, but these two messages don't follow that rule and generate a lot of noise as a result. This commit adjusts the logging to report these two exceptions at `DEBUG` level only.
elastic · Aug 27, 2020 · f6055dc · f6055dc
1 parent b866aaf
commit f6055dc
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 0 deletions.
diff --git a/...ore/src/main/java/org/elasticsearch/xpack/core/security/transport/SSLExceptionHelper.java b/...ore/src/main/java/org/elasticsearch/xpack/core/security/transport/SSLExceptionHelper.java
@@ -8,8 +8,10 @@
 
 import io.netty.handler.codec.DecoderException;
 import io.netty.handler.ssl.NotSslRecordException;
+import org.elasticsearch.common.regex.Regex;
 
 import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLHandshakeException;
 
 public class SSLExceptionHelper {
 
@@ -22,6 +24,11 @@ public static boolean isNotSslRecordException(Throwable e) {
     }
 
     public static boolean isCloseDuringHandshakeException(Throwable e) {
+        return isCloseDuringHandshakeSSLException(e)
+                || isCloseDuringHandshakeSSLException(e.getCause());
+    }
+
+    private static boolean isCloseDuringHandshakeSSLException(Throwable e) {
         return e instanceof SSLException
                 && e.getCause() == null
                 && "Received close_notify during handshake".equals(e.getMessage());
@@ -32,4 +39,10 @@ public static boolean isReceivedCertificateUnknownException(Throwable e) {
                 && e.getCause() instanceof SSLException
                 && "Received fatal alert: certificate_unknown".equals(e.getCause().getMessage());
     }
+
+    public static boolean isInsufficientBufferRemainingException(Throwable e) {
+        return e instanceof DecoderException
+                && e.getCause() instanceof SSLHandshakeException
+                && Regex.simpleMatch("Insufficient buffer remaining for AEAD cipher fragment*", e.getCause().getMessage());
+    }
 }
diff --git a/...va/org/elasticsearch/xpack/core/security/transport/SecurityTransportExceptionHandler.java b/...va/org/elasticsearch/xpack/core/security/transport/SecurityTransportExceptionHandler.java
@@ -34,6 +34,9 @@ public void accept(TcpChannel channel, Exception e) {
         } else if (SSLExceptionHelper.isCloseDuringHandshakeException(e)) {
             logger.debug("connection {} closed during handshake", channel);
             CloseableChannel.closeChannel(channel);
+        } else if (SSLExceptionHelper.isInsufficientBufferRemainingException(e)) {
+            logger.debug("connection {} closed abruptly", channel);
+            CloseableChannel.closeChannel(channel);
         } else if (SSLExceptionHelper.isReceivedCertificateUnknownException(e)) {
             logger.warn("client did not trust this server's certificate, closing connection {}", channel);
             CloseableChannel.closeChannel(channel);

diff --git a/...rc/main/java/org/elasticsearch/xpack/security/transport/SecurityHttpExceptionHandler.java b/...rc/main/java/org/elasticsearch/xpack/security/transport/SecurityHttpExceptionHandler.java
@@ -13,6 +13,7 @@
 import java.util.function.BiConsumer;
 
 import static org.elasticsearch.xpack.core.security.transport.SSLExceptionHelper.isCloseDuringHandshakeException;
+import static org.elasticsearch.xpack.core.security.transport.SSLExceptionHelper.isInsufficientBufferRemainingException;
 import static org.elasticsearch.xpack.core.security.transport.SSLExceptionHelper.isNotSslRecordException;
 import static org.elasticsearch.xpack.core.security.transport.SSLExceptionHelper.isReceivedCertificateUnknownException;
 
@@ -39,6 +40,9 @@ public void accept(HttpChannel channel, Exception e) {
         } else if (isCloseDuringHandshakeException(e)) {
             logger.debug("connection {} closed during ssl handshake", channel);
             CloseableChannel.closeChannel(channel);
+        } else if (isInsufficientBufferRemainingException(e)) {
+            logger.debug("connection {} closed abruptly", channel);
+            CloseableChannel.closeChannel(channel);
         } else if (isReceivedCertificateUnknownException(e)) {
             logger.warn("http client did not trust this server's certificate, closing connection {}", channel);
             CloseableChannel.closeChannel(channel);