diff options
author | Simon Rettberg | 2022-11-08 09:52:13 +0100 |
---|---|---|
committer | Simon Rettberg | 2022-11-08 09:52:13 +0100 |
commit | 9b468d547f67a4f9b1d10431ba24b93e2fb3d9b3 (patch) | |
tree | 69d01a89cc4f19d8fe333386b12542d6dbeef92d | |
parent | [thrift] Add vmSizeLimit to satellite config (diff) | |
download | master-sync-shared-9b468d547f67a4f9b1d10431ba24b93e2fb3d9b3.tar.gz master-sync-shared-9b468d547f67a4f9b1d10431ba24b93e2fb3d9b3.tar.xz master-sync-shared-9b468d547f67a4f9b1d10431ba24b93e2fb3d9b3.zip |
[thrift] Ignore certain SSL and connection errors
Bogus data from port scans/probes results in stack trace spam since the
data obviously cannot properly be parsed as an SSL handshake. Ignore the
most typical of those exceptions, while keeping more specific ones, e.g.
about mismatch regarding ciphers/TLS version in place.
-rw-r--r-- | src/main/java/org/openslx/filetransfer/Listener.java | 6 | ||||
-rw-r--r-- | src/main/java/org/openslx/thrifthelper/TBinaryProtocolSafe.java | 49 |
2 files changed, 40 insertions, 15 deletions
diff --git a/src/main/java/org/openslx/filetransfer/Listener.java b/src/main/java/org/openslx/filetransfer/Listener.java index 92a26cd..0d5921a 100644 --- a/src/main/java/org/openslx/filetransfer/Listener.java +++ b/src/main/java/org/openslx/filetransfer/Listener.java @@ -138,7 +138,11 @@ public class Listener Transfer.safeClose( connection ); } } catch ( Exception e ) { - log.warn( "Error accepting client", e ); + String m = e.getMessage(); + if ( !m.contains( "Remote host terminated the handshake" ) + && !m.contains( "Unsupported or unrecognized SSL message" ) ) { + log.warn( "Error accepting client", e ); + } Transfer.safeClose( connection ); } } diff --git a/src/main/java/org/openslx/thrifthelper/TBinaryProtocolSafe.java b/src/main/java/org/openslx/thrifthelper/TBinaryProtocolSafe.java index b0b7486..df526e3 100644 --- a/src/main/java/org/openslx/thrifthelper/TBinaryProtocolSafe.java +++ b/src/main/java/org/openslx/thrifthelper/TBinaryProtocolSafe.java @@ -1,7 +1,9 @@ package org.openslx.thrifthelper; -import java.io.UnsupportedEncodingException; import java.nio.ByteBuffer; +import java.nio.charset.StandardCharsets; + +import javax.net.ssl.SSLException; import org.apache.thrift.TException; import org.apache.thrift.protocol.TBinaryProtocol; @@ -10,6 +12,7 @@ import org.apache.thrift.protocol.TProtocol; import org.apache.thrift.protocol.TProtocolException; import org.apache.thrift.protocol.TProtocolFactory; import org.apache.thrift.transport.TTransport; +import org.apache.thrift.transport.TTransportException; /** * Binary protocol implementation for thrift. @@ -61,18 +64,38 @@ public class TBinaryProtocolSafe extends TBinaryProtocol public TBinaryProtocolSafe(TTransport trans, boolean strictRead, boolean strictWrite) { - super( trans ); - strictRead_ = strictRead; - strictWrite_ = strictWrite; + super( trans, maxLen, maxLen, strictRead, strictWrite ); } - /** + /* * Reading methods. */ - + + @Override public TMessage readMessageBegin() throws TException { - int size = readI32(); + int size; + try { + size = readI32(); + } catch ( TTransportException e ) { + // Do this to suppress certain SSL handshake errors that result from port scanning and service probing + if ( e.getCause() instanceof SSLException ) { + String m = e.getCause().getMessage(); + // We still want SSL errors that help diagnosing more specific SSL errors that relate to actual + // SSL handshake attempts, like incompatible TLS versions or ciphers. + if ( m.contains( "Remote host terminated the handshake" ) + || m.contains( "Unsupported or unrecognized SSL message" ) ) { + // Fake an END_OF_FILE exception, as the logException() method in the server class will + // ignore there. Let's hope it will stay ignored in the future. + throw new TTransportException( TTransportException.END_OF_FILE ); + } + } else if ( e.getMessage().contains( "larger than max length" ) ) { + // Also fake, since this one prints a whole stack trace compared to the other + // message by AbstractNonblockingServer + throw new TTransportException( TTransportException.END_OF_FILE ); + } + throw e; + } if ( size > maxLen ) throw new TProtocolException( TProtocolException.SIZE_LIMIT, "Payload too big." ); if ( size < 0 ) { @@ -89,24 +112,22 @@ public class TBinaryProtocolSafe extends TBinaryProtocol } } + @Override public String readString() throws TException { int size = readI32(); if ( size > maxLen ) throw new TProtocolException( TProtocolException.SIZE_LIMIT, "Payload too big." ); if ( trans_.getBytesRemainingInBuffer() >= size ) { - try { - String s = new String( trans_.getBuffer(), trans_.getBufferPosition(), size, "UTF-8" ); - trans_.consumeBuffer( size ); - return s; - } catch ( UnsupportedEncodingException e ) { - throw new TException( "JVM DOES NOT SUPPORT UTF-8" ); - } + String s = new String( trans_.getBuffer(), trans_.getBufferPosition(), size, StandardCharsets.UTF_8 ); + trans_.consumeBuffer( size ); + return s; } return readStringBody( size ); } + @Override public ByteBuffer readBinary() throws TException { int size = readI32(); |