[jira] [Commented] (CASSANDRA-18839) Catch SSLHandshakeExceptions exceptions

Mon, 20 Nov 2023 11:31:06 -0800 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-18839?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17788140#comment-17788140
 ] 

Brad Schoening commented on CASSANDRA-18839:
--------------------------------------------

[~jameshu15869] This section of the code has changed somewhat from 4.0.x to 
trunk. 

The exception occurs on line 261 of PreV5Handlers.java in exceptionCaught() in 
the stack trace above, and has been moved to  
ExceptionHandlers.logClientNetworkingExceptions in trunk (5.x) which has added 
several new instanceof checks. These are done so as to 'not spam the logs once 
a bad client shows up' which is exactly the same issue I've seen with the SSL 
errors.

So, using instanceof is correct here. Note that it might work best to handle 
the parent SSLException, as these SSL exceptions don't benefit from having a 
stack trace printed.

 

> Catch SSLHandshakeExceptions exceptions
> ---------------------------------------
>
>                 Key: CASSANDRA-18839
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-18839
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Messaging/Client
>            Reporter: Brad Schoening
>            Priority: Low
>
> When SSL connection errors occur, they tend to flood the log with stack 
> traces and lack the identity of the remote client IP.  Instead, 
> PreV5Handlers.decode() could catch SSLHandshakeException and provide a brief, 
> more informative WARN level message instead of the verbose and mostly 
> unhelpful stack trace.
> I.e., 
> {code:java}
> [WARN ] [epollEventLoopGroup-5-5] cluster_id=3 ip_address=10.0.0.1  
> PreV5Handlers.java:261 - SSLHandshakeException in client networking with peer 
> 10.0.0.10:9042 error:100000d7:SSL 
> routines:OPENSSL_internal:SSL_HANDSHAKE_FAILURE {code}
> instead of the current ones which flood the logs:
> {code:java}
> 2023-09-12 00:00:25,368 [WARN ] [epollEventLoopGroup-5-5] cluster_id=3 
> ip_address=10.0.0.1  PreV5Handlers.java:261 - Unknown exception in client 
> networking
> io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: 
> error:100000d7:SSL routines:OPENSSL_internal:SSL_HANDSHAKE_FAILURE
>     at 
> io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:478)
>     at 
> io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
>     at 
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
>     at 
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
>     at 
> io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
>     at 
> io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
>     at 
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
>     at 
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
>     at 
> io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
>     at 
> io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:795)
>     at 
> io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:480)
>     at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:378)
>     at 
> io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
>     at 
> io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
>     at 
> io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
>     at java.base/java.lang.Thread.run(Thread.java:834)
> Caused by: javax.net.ssl.SSLHandshakeException: error:100000d7:SSL 
> routines:OPENSSL_internal:SSL_HANDSHAKE_FAILURE
>     at 
> io.netty.handler.ssl.ReferenceCountedOpenSslEngine.shutdownWithError(ReferenceCountedOpenSslEngine.java:1031)
>     at 
> io.netty.handler.ssl.ReferenceCountedOpenSslEngine.sslReadErrorResult(ReferenceCountedOpenSslEngine.java:1321)
>     at 
> io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1270)
>     at 
> io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1346)
>     at 
> io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1389)
>     at 
> io.netty.handler.ssl.SslHandler$SslEngineType$1.unwrap(SslHandler.java:206)
>     at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1387)
>     at 
> io.netty.handler.ssl.SslHandler.decodeNonJdkCompatible(SslHandler.java:1294)
>     at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1331)
>     at 
> io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:508)
>     at 
> io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:447)
>     ... 15 common frames omitted {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to