[jira] [Commented] (CASSANDRA-18839) Catch SSLHandshakeExceptions exceptions

Mon, 20 Nov 2023 16:46:04 -0800 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-18839?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17788200#comment-17788200
 ] 

Brad Schoening commented on CASSANDRA-18839:
--------------------------------------------

[~jameshu15869] looks about right. Have you been able to test it? If you 
connect with an invalid certificate or obsolete SSL/Cypher  it should log the 
error.

openssl s_client maybe one way to test the handshake with maybe trying 
_-tls1_1._

> Catch SSLHandshakeExceptions exceptions
> ---------------------------------------
>
>                 Key: CASSANDRA-18839
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-18839
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Messaging/Client
>            Reporter: Brad Schoening
>            Assignee: James Hu
>            Priority: Low
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> When SSL connection errors occur, they tend to flood the log with stack 
> traces and lack the identity of the remote client IP.  Instead, 
> PreV5Handlers.decode() could catch SSLHandshakeException and provide a brief, 
> more informative WARN level message instead of the verbose and mostly 
> unhelpful stack trace.
> I.e., 
> {code:java}
> [WARN ] [epollEventLoopGroup-5-5] cluster_id=3 ip_address=10.0.0.1  
> PreV5Handlers.java:261 - SSLHandshakeException in client networking with peer 
> 10.0.0.10:9042 error:100000d7:SSL 
> routines:OPENSSL_internal:SSL_HANDSHAKE_FAILURE {code}
> instead of the current ones which flood the logs:
> {code:java}
> 2023-09-12 00:00:25,368 [WARN ] [epollEventLoopGroup-5-5] cluster_id=3 
> ip_address=10.0.0.1  PreV5Handlers.java:261 - Unknown exception in client 
> networking
> io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: 
> error:100000d7:SSL routines:OPENSSL_internal:SSL_HANDSHAKE_FAILURE
>     at 
> io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:478)
>     at 
> io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
>     at 
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
>     at 
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
>     at 
> io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
>     at 
> io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
>     at 
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
>     at 
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
>     at 
> io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
>     at 
> io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:795)
>     at 
> io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:480)
>     at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:378)
>     at 
> io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
>     at 
> io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
>     at 
> io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
>     at java.base/java.lang.Thread.run(Thread.java:834)
> Caused by: javax.net.ssl.SSLHandshakeException: error:100000d7:SSL 
> routines:OPENSSL_internal:SSL_HANDSHAKE_FAILURE
>     at 
> io.netty.handler.ssl.ReferenceCountedOpenSslEngine.shutdownWithError(ReferenceCountedOpenSslEngine.java:1031)
>     at 
> io.netty.handler.ssl.ReferenceCountedOpenSslEngine.sslReadErrorResult(ReferenceCountedOpenSslEngine.java:1321)
>     at 
> io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1270)
>     at 
> io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1346)
>     at 
> io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1389)
>     at 
> io.netty.handler.ssl.SslHandler$SslEngineType$1.unwrap(SslHandler.java:206)
>     at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1387)
>     at 
> io.netty.handler.ssl.SslHandler.decodeNonJdkCompatible(SslHandler.java:1294)
>     at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1331)
>     at 
> io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:508)
>     at 
> io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:447)
>     ... 15 common frames omitted {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to