[jira] [Comment Edited] (CASSANDRA-18839) Catch SSLHandshakeExceptions exceptions

Mon, 04 Dec 2023 21:02:04 -0800 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-18839?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17793126#comment-17793126
 ] 

Brad Schoening edited comment on CASSANDRA-18839 at 12/5/23 5:01 AM:
---------------------------------------------------------------------

[~maxwellguo] we see these exclusively from "white hat" cyber security probes 
ensuring disallowed ciphers and old SSL protocols are not functional. I'm not 
sure metrics here would be very useful, although, not opposed if there is a 
good use for them.  

 

 


was (Author: bschoeni):
[~maxwellguo] we see these exclusively from "white hat" cyber security probes 
ensuring disallowed ciphers and old SSL protocols are not functional. I'm not 
sure metrics here would be very useful.

 

 

> Catch SSLHandshakeExceptions exceptions
> ---------------------------------------
>
>                 Key: CASSANDRA-18839
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-18839
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Messaging/Client
>            Reporter: Brad Schoening
>            Assignee: James Hu
>            Priority: Low
>             Fix For: 4.0.x, 4.1.x, 5.0
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> When SSL connection errors occur, they tend to flood the log with stack 
> traces and lack the identity of the remote client IP.  Instead, 
> PreV5Handlers.decode() could catch SSLHandshakeException and provide a brief, 
> more informative WARN level message instead of the verbose and mostly 
> unhelpful stack trace.
> I.e., 
> {code:java}
> [WARN ] [epollEventLoopGroup-5-5] cluster_id=3 ip_address=10.0.0.1  
> PreV5Handlers.java:261 - SSLHandshakeException in client networking with peer 
> 10.0.0.10:9042 error:100000d7:SSL 
> routines:OPENSSL_internal:SSL_HANDSHAKE_FAILURE {code}
> instead of the current ones which flood the logs:
> {code:java}
> 2023-09-12 00:00:25,368 [WARN ] [epollEventLoopGroup-5-5] cluster_id=3 
> ip_address=10.0.0.1  PreV5Handlers.java:261 - Unknown exception in client 
> networking
> io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: 
> error:100000d7:SSL routines:OPENSSL_internal:SSL_HANDSHAKE_FAILURE
>     at 
> io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:478)
>     at 
> io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
>     at 
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
>     at 
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
>     at 
> io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
>     at 
> io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
>     at 
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
>     at 
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
>     at 
> io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
>     at 
> io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:795)
>     at 
> io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:480)
>     at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:378)
>     at 
> io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
>     at 
> io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
>     at 
> io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
>     at java.base/java.lang.Thread.run(Thread.java:834)
> Caused by: javax.net.ssl.SSLHandshakeException: error:100000d7:SSL 
> routines:OPENSSL_internal:SSL_HANDSHAKE_FAILURE
>     at 
> io.netty.handler.ssl.ReferenceCountedOpenSslEngine.shutdownWithError(ReferenceCountedOpenSslEngine.java:1031)
>     at 
> io.netty.handler.ssl.ReferenceCountedOpenSslEngine.sslReadErrorResult(ReferenceCountedOpenSslEngine.java:1321)
>     at 
> io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1270)
>     at 
> io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1346)
>     at 
> io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1389)
>     at 
> io.netty.handler.ssl.SslHandler$SslEngineType$1.unwrap(SslHandler.java:206)
>     at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1387)
>     at 
> io.netty.handler.ssl.SslHandler.decodeNonJdkCompatible(SslHandler.java:1294)
>     at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1331)
>     at 
> io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:508)
>     at 
> io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:447)
>     ... 15 common frames omitted {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to