[ https://issues.apache.org/jira/browse/CASSANDRA-19508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17833771#comment-17833771 ]
Jon Meredith commented on CASSANDRA-19508: ------------------------------------------ That's a lot of logs to deal with. Have you tried adding something like this to your {{logback.xml}} file to improve things in the short term? {code:xml} <logger name="org.apache.cassandra.transport.ServerConnection" level="INFO"/> {code} I don't think we should merge the patch as it stands because it disables retrieving the certificate if not required and it may be used by {{IAuthenticator}} implementions. We could drop the log level to {{TRACE}} -- although logging per socket connection event at {{DEBUG}} level doesn't seem unreasonable and it seems like other log events at that level could be added in the future. something like this instead? It should be a simpler patch and not involve the config subsystem. {code} diff --git a/src/java/org/apache/cassandra/transport/ServerConnection.java b/src/java/org/apache/cassandra/transport/ServerConnection.java index 21f2e0b0e6..b47d0d9c66 100644 --- a/src/java/org/apache/cassandra/transport/ServerConnection.java +++ b/src/java/org/apache/cassandra/transport/ServerConnection.java @@ -137,7 +137,8 @@ public class ServerConnection extends Connection } catch (SSLPeerUnverifiedException e) { - logger.debug("Failed to get peer certificates for peer {}", channel().remoteAddress(), e); + if (logger.isTraceEnabled()) + logger.trace("Failed to get peer certificates for peer {}", channel().remoteAddress(), e); } } return certificates; {code} > Getting tons of msgs "Failed to get peer certificates for peer > /x.x.x.x:45796" when require_client_auth is set to false > ----------------------------------------------------------------------------------------------------------------------- > > Key: CASSANDRA-19508 > URL: https://issues.apache.org/jira/browse/CASSANDRA-19508 > Project: Cassandra > Issue Type: Bug > Components: Feature/Encryption > Reporter: Mohammad Aburadeh > Assignee: Mohammad Aburadeh > Priority: Urgent > Fix For: 4.0.x, 4.1.x, 5.0.x, 5.x > > > We recently upgraded our production clusters from 3.11.15 to 4.1.4. We > started seeing thousands of msgs "Failed to get peer certificates for peer > /x.x.x.x:45796". SSL is enabled but require_client_auth is disabled. This is > causing a huge problem for us because cassandra log files are growing very > fast as our connections are short live connections, we open more than 1K > connections per second and they stay live for 1-2 seconds. > {code:java} > DEBUG [Native-Transport-Requests-2] 2024-03-31 21:26:38,026 > ServerConnection.java:140 - Failed to get peer certificates for peer > /172.31.2.23:45796 > javax.net.ssl.SSLPeerUnverifiedException: peer not verified > at > io.netty.handler.ssl.ReferenceCountedOpenSslEngine$DefaultOpenSslSession.getPeerCertificateChain(ReferenceCountedOpenSslEngine.java:2414) > at > io.netty.handler.ssl.ExtendedOpenSslSession.getPeerCertificateChain(ExtendedOpenSslSession.java:140) > at > org.apache.cassandra.transport.ServerConnection.certificates(ServerConnection.java:136) > at > org.apache.cassandra.transport.ServerConnection.getSaslNegotiator(ServerConnection.java:120) > at > org.apache.cassandra.transport.messages.AuthResponse.execute(AuthResponse.java:76) > at > org.apache.cassandra.transport.Message$Request.execute(Message.java:255) > at > org.apache.cassandra.transport.Dispatcher.processRequest(Dispatcher.java:166) > at > org.apache.cassandra.transport.Dispatcher.processRequest(Dispatcher.java:185) > at > org.apache.cassandra.transport.Dispatcher.processRequest(Dispatcher.java:212) > at > org.apache.cassandra.transport.Dispatcher$RequestProcessor.run(Dispatcher.java:109) > at > org.apache.cassandra.concurrent.FutureTask$1.call(FutureTask.java:96) > at org.apache.cassandra.concurrent.FutureTask.call(FutureTask.java:61) > at org.apache.cassandra.concurrent.FutureTask.run(FutureTask.java:71) > at org.apache.cassandra.concurrent.SEPWorker.run(SEPWorker.java:142) > at > io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) > {code} > *Our SSL config:* > {code:java} > client_encryption_options: > enabled: true > keystore: /path/to/keystore > keystore_password: xxxxx > optional: false > require_client_auth: false {code} > > We should stop throwing this msg when require_client_auth is set to false. Or > at least it should be logged in TRACE not DEBUG. > I'm working on preparing a PR. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org