Netty warning when consuming TLS transport Finagle server with HTTP · twitter/finagle#700

(20 评论) (1 反应) (0 负责人)Scala (8,864 star) (1,435 fork)batch import

help wanted

描述

Finagle version: 18.6.0

Netty creates a log with level 'warn' when trying to consume a TLS server with HTTP. This can't be disabled and generates a lot of info that can potentially flood application logs in some cases.

Expected behavior

This should be handled by Finagle since the service is configured using TLS, or at least configurable when creating a Finagle server with TLS transport.

Actual behavior

When a TLS server is called using HTTP, netty logs:

Jun 19, 2018 3:01:43 PM com.twitter.finagle.netty4.channel.ChannelStatsHandler exceptionCaught
WARNING: ChannelStatsHandler caught an exception
io.netty.handler.codec.DecoderException: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: ...
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:459)
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1359)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:935)
	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134)
	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:645)
	at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:580)
	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:497)
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459)
	at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at com.twitter.finagle.util.BlockingTimeTrackingThreadFactory$$anon$1.run(BlockingTimeTrackingThreadFactory.scala:23)
	at java.lang.Thread.run(Thread.java:748)
Caused by: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: ...
	at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1106)
	at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1162)
	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489)
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428)
	... 18 more

Steps to reproduce the behavior

Create a TLS server:

val httpService: Service[Request, Response] = ...
val sslContext = ...

val server = Http.Server().withTransport.tls(sslContext)

server.serve("localhost:8080", httpService)

Curl it with http: curl http://localhost:8080

贡献者指南

技术栈: scalajava
领域: backendsecurity
议题类型: bug
难度: 3
预计时间: 1-2 days
活动状态: stale
清晰度: clear
前置要求: Familiarity with Finagle and NettyUnderstanding of TLS/SSL
新手友好度: 40
研究方向: Investigate ChannelStatsHandler and SslHandler in finagle netty4. Consider adding a configuration option to suppress or downgrade the Netty warning when non TLS traffic hits a TLS server. Look at how other exceptions are handled in ChannelStatsHandler.exceptionCaught. There are 20 comments; some may discuss a solution. No linked PRs.