Netty warning when consuming TLS transport Finagle server with HTTP · twitter/finagle#700

(20 留言) (1 反應) (0 負責人)Scala (8,864 star) (1,435 fork)batch import

help wanted

描述

Finagle version: 18.6.0

Netty creates a log with level 'warn' when trying to consume a TLS server with HTTP. This can't be disabled and generates a lot of info that can potentially flood application logs in some cases.

Expected behavior

This should be handled by Finagle since the service is configured using TLS, or at least configurable when creating a Finagle server with TLS transport.

Actual behavior

When a TLS server is called using HTTP, netty logs:

Jun 19, 2018 3:01:43 PM com.twitter.finagle.netty4.channel.ChannelStatsHandler exceptionCaught
WARNING: ChannelStatsHandler caught an exception
io.netty.handler.codec.DecoderException: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: ...
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:459)
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1359)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:935)
	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134)
	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:645)
	at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:580)
	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:497)
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459)
	at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at com.twitter.finagle.util.BlockingTimeTrackingThreadFactory$$anon$1.run(BlockingTimeTrackingThreadFactory.scala:23)
	at java.lang.Thread.run(Thread.java:748)
Caused by: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: ...
	at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1106)
	at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1162)
	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489)
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428)
	... 18 more

Steps to reproduce the behavior

Create a TLS server:

val httpService: Service[Request, Response] = ...
val sslContext = ...

val server = Http.Server().withTransport.tls(sslContext)

server.serve("localhost:8080", httpService)

Curl it with http: curl http://localhost:8080

貢獻者指南

技術棧: scalajava
領域: backendsecurity
議題類型: bug
難度: 3
預計時間: 1-2 days
活動狀態: stale
清晰度: clear
前置要求: Familiarity with Finagle and NettyUnderstanding of TLS/SSL
新手友善度: 40
研究方向: Investigate ChannelStatsHandler and SslHandler in finagle netty4. Consider adding a configuration option to suppress or downgrade the Netty warning when non TLS traffic hits a TLS server. Look at how other exceptions are handled in ChannelStatsHandler.exceptionCaught. There are 20 comments; some may discuss a solution. No linked PRs.