[thrift] Ignore certain SSL and connection errors

Bogus data from port scans/probes results in stack trace spam since the data obviously cannot properly be parsed as an SSL handshake. Ignore the most typical of those exceptions, while keeping more specific ones, e.g. about mismatch regarding ciphers/TLS version in place.
author: Simon Rettberg 2022-11-08 09:52:13 +0100
committer: Simon Rettberg 2022-11-08 09:52:13 +0100
commit: 9b468d547f67a4f9b1d10431ba24b93e2fb3d9b3 (patch)
tree: 69d01a89cc4f19d8fe333386b12542d6dbeef92d
parent: [thrift] Add vmSizeLimit to satellite config (diff)
download: master-sync-shared-9b468d547f67a4f9b1d10431ba24b93e2fb3d9b3.tar.gz
master-sync-shared-9b468d547f67a4f9b1d10431ba24b93e2fb3d9b3.tar.xz
master-sync-shared-9b468d547f67a4f9b1d10431ba24b93e2fb3d9b3.zip
2 files changed, 40 insertions, 15 deletions
diff --git a/src/main/java/org/openslx/filetransfer/Listener.java b/src/main/java/org/openslx/filetransfer/Listener.java
index 92a26cd..0d5921a 100644
--- a/src/main/java/org/openslx/filetransfer/Listener.java
+++ b/src/main/java/org/openslx/filetransfer/Listener.java
@@ -138,7 +138,11 @@ public class Listener
 										Transfer.safeClose( connection );
 									}
 								} catch ( Exception e ) {
-									log.warn( "Error accepting client", e );
+									String m = e.getMessage();
+									if ( !m.contains( "Remote host terminated the handshake" )
+											&& !m.contains( "Unsupported or unrecognized SSL message" ) ) {
+										log.warn( "Error accepting client", e );
+									}
 									Transfer.safeClose( connection );
 								}
 							}
diff --git a/src/main/java/org/openslx/thrifthelper/TBinaryProtocolSafe.java b/src/main/java/org/openslx/thrifthelper/TBinaryProtocolSafe.java
index b0b7486..df526e3 100644
--- a/src/main/java/org/openslx/thrifthelper/TBinaryProtocolSafe.java
+++ b/src/main/java/org/openslx/thrifthelper/TBinaryProtocolSafe.java
@@ -1,7 +1,9 @@
 package org.openslx.thrifthelper;
 
-import java.io.UnsupportedEncodingException;
 import java.nio.ByteBuffer;
+import java.nio.charset.StandardCharsets;
+
+import javax.net.ssl.SSLException;
 
 import org.apache.thrift.TException;
 import org.apache.thrift.protocol.TBinaryProtocol;
@@ -10,6 +12,7 @@ import org.apache.thrift.protocol.TProtocol;
 import org.apache.thrift.protocol.TProtocolException;
 import org.apache.thrift.protocol.TProtocolFactory;
 import org.apache.thrift.transport.TTransport;
+import org.apache.thrift.transport.TTransportException;
 
 /**
  * Binary protocol implementation for thrift.
@@ -61,18 +64,38 @@ public class TBinaryProtocolSafe extends TBinaryProtocol
 
 	public TBinaryProtocolSafe(TTransport trans, boolean strictRead, boolean strictWrite)
 	{
-		super( trans );
-		strictRead_ = strictRead;
-		strictWrite_ = strictWrite;
+		super( trans, maxLen, maxLen, strictRead, strictWrite );
 	}
 
-	/**
+	/*
 	 * Reading methods.
 	 */
-
+	
+	@Override
 	public TMessage readMessageBegin() throws TException
 	{
-		int size = readI32();
+		int size;
+		try {
+			size = readI32();
+		} catch ( TTransportException e ) {
+			// Do this to suppress certain SSL handshake errors that result from port scanning and service probing
+			if ( e.getCause() instanceof SSLException ) {
+				String m = e.getCause().getMessage();
+				// We still want SSL errors that help diagnosing more specific SSL errors that relate to actual
+				// SSL handshake attempts, like incompatible TLS versions or ciphers.
+				if ( m.contains( "Remote host terminated the handshake" )
+						|| m.contains( "Unsupported or unrecognized SSL message" ) ) {
+					// Fake an END_OF_FILE exception, as the logException() method in the server class will
+					// ignore there. Let's hope it will stay ignored in the future.
+					throw new TTransportException( TTransportException.END_OF_FILE );
+				}
+			} else if ( e.getMessage().contains( "larger than max length" ) ) {
+				// Also fake, since this one prints a whole stack trace compared to the other
+				// message by AbstractNonblockingServer
+				throw new TTransportException( TTransportException.END_OF_FILE );
+			}
+			throw e;
+		}
 		if ( size > maxLen )
 			throw new TProtocolException( TProtocolException.SIZE_LIMIT, "Payload too big." );
 		if ( size < 0 ) {
@@ -89,24 +112,22 @@ public class TBinaryProtocolSafe extends TBinaryProtocol
 		}
 	}
 
+	@Override
 	public String readString() throws TException
 	{
 		int size = readI32();
 		if ( size > maxLen )
 			throw new TProtocolException( TProtocolException.SIZE_LIMIT, "Payload too big." );
 		if ( trans_.getBytesRemainingInBuffer() >= size ) {
-			try {
-				String s = new String( trans_.getBuffer(), trans_.getBufferPosition(), size, "UTF-8" );
-				trans_.consumeBuffer( size );
-				return s;
-			} catch ( UnsupportedEncodingException e ) {
-				throw new TException( "JVM DOES NOT SUPPORT UTF-8" );
-			}
+			String s = new String( trans_.getBuffer(), trans_.getBufferPosition(), size, StandardCharsets.UTF_8 );
+			trans_.consumeBuffer( size );
+			return s;
 		}
 
 		return readStringBody( size );
 	}
 
+	@Override
 	public ByteBuffer readBinary() throws TException
 	{
 		int size = readI32();
author	Simon Rettberg	2022-11-08 09:52:13 +0100
committer	Simon Rettberg	2022-11-08 09:52:13 +0100
commit	9b468d547f67a4f9b1d10431ba24b93e2fb3d9b3 (patch)
tree	69d01a89cc4f19d8fe333386b12542d6dbeef92d
parent	[thrift] Add vmSizeLimit to satellite config (diff)
download	master-sync-shared-9b468d547f67a4f9b1d10431ba24b93e2fb3d9b3.tar.gz master-sync-shared-9b468d547f67a4f9b1d10431ba24b93e2fb3d9b3.tar.xz master-sync-shared-9b468d547f67a4f9b1d10431ba24b93e2fb3d9b3.zip