Netty warning when consuming TLS transport Finagle server with HTTP · twitter/finagle#700

(20 comments) (1 reaction) (0 assignees)Scala (8,864 stars) (1,435 forks)batch import

help wanted

Description

Finagle version: 18.6.0

Netty creates a log with level 'warn' when trying to consume a TLS server with HTTP. This can't be disabled and generates a lot of info that can potentially flood application logs in some cases.

Expected behavior

This should be handled by Finagle since the service is configured using TLS, or at least configurable when creating a Finagle server with TLS transport.

Actual behavior

When a TLS server is called using HTTP, netty logs:

Jun 19, 2018 3:01:43 PM com.twitter.finagle.netty4.channel.ChannelStatsHandler exceptionCaught
WARNING: ChannelStatsHandler caught an exception
io.netty.handler.codec.DecoderException: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: ...
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:459)
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1359)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:935)
	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134)
	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:645)
	at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:580)
	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:497)
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459)
	at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at com.twitter.finagle.util.BlockingTimeTrackingThreadFactory$$anon$1.run(BlockingTimeTrackingThreadFactory.scala:23)
	at java.lang.Thread.run(Thread.java:748)
Caused by: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: ...
	at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1106)
	at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1162)
	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489)
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428)
	... 18 more

Steps to reproduce the behavior

Create a TLS server:

val httpService: Service[Request, Response] = ...
val sslContext = ...

val server = Http.Server().withTransport.tls(sslContext)

server.serve("localhost:8080", httpService)

Curl it with http: curl http://localhost:8080

Contributor guide

Tech stack: scalajava
Domain: backendsecurity
Issue type: bug
Difficulty: 3
Estimated time: 1-2 days
Activity status: stale
Clarity: clear
Prerequisites: Familiarity with Finagle and NettyUnderstanding of TLS/SSL
Newbie friendliness: 40
Research direction: Investigate ChannelStatsHandler and SslHandler in finagle netty4. Consider adding a configuration option to suppress or downgrade the Netty warning when non TLS traffic hits a TLS server. Look at how other exceptions are handled in ChannelStatsHandler.exceptionCaught. There are 20 comments; some may discuss a solution. No linked PRs.