From 9b468d547f67a4f9b1d10431ba24b93e2fb3d9b3 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Tue, 8 Nov 2022 09:52:13 +0100
Subject: [thrift] Ignore certain SSL and connection errors

Bogus data from port scans/probes results in stack trace spam since the
data obviously cannot properly be parsed as an SSL handshake. Ignore the
most typical of those exceptions, while keeping more specific ones, e.g.
about mismatch regarding ciphers/TLS version in place.
---
 .../java/org/openslx/filetransfer/Listener.java    |  6 ++-
 .../openslx/thrifthelper/TBinaryProtocolSafe.java  | 49 +++++++++++++++-------
 2 files changed, 40 insertions(+), 15 deletions(-)

diff --git a/src/main/java/org/openslx/filetransfer/Listener.java b/src/main/java/org/openslx/filetransfer/Listener.java
index 92a26cd..0d5921a 100644
--- a/src/main/java/org/openslx/filetransfer/Listener.java
+++ b/src/main/java/org/openslx/filetransfer/Listener.java
@@ -138,7 +138,11 @@ public class Listener
 										Transfer.safeClose( connection );
 									}
 								} catch ( Exception e ) {
-									log.warn( "Error accepting client", e );
+									String m = e.getMessage();
+									if ( !m.contains( "Remote host terminated the handshake" )
+											&& !m.contains( "Unsupported or unrecognized SSL message" ) ) {
+										log.warn( "Error accepting client", e );
+									}
 									Transfer.safeClose( connection );
 								}
 							}
diff --git a/src/main/java/org/openslx/thrifthelper/TBinaryProtocolSafe.java b/src/main/java/org/openslx/thrifthelper/TBinaryProtocolSafe.java
index b0b7486..df526e3 100644
--- a/src/main/java/org/openslx/thrifthelper/TBinaryProtocolSafe.java
+++ b/src/main/java/org/openslx/thrifthelper/TBinaryProtocolSafe.java
@@ -1,7 +1,9 @@
 package org.openslx.thrifthelper;
 
-import java.io.UnsupportedEncodingException;
 import java.nio.ByteBuffer;
+import java.nio.charset.StandardCharsets;
+
+import javax.net.ssl.SSLException;
 
 import org.apache.thrift.TException;
 import org.apache.thrift.protocol.TBinaryProtocol;
@@ -10,6 +12,7 @@ import org.apache.thrift.protocol.TProtocol;
 import org.apache.thrift.protocol.TProtocolException;
 import org.apache.thrift.protocol.TProtocolFactory;
 import org.apache.thrift.transport.TTransport;
+import org.apache.thrift.transport.TTransportException;
 
 /**
  * Binary protocol implementation for thrift.
@@ -61,18 +64,38 @@ public class TBinaryProtocolSafe extends TBinaryProtocol
 
 	public TBinaryProtocolSafe(TTransport trans, boolean strictRead, boolean strictWrite)
 	{
-		super( trans );
-		strictRead_ = strictRead;
-		strictWrite_ = strictWrite;
+		super( trans, maxLen, maxLen, strictRead, strictWrite );
 	}
 
-	/**
+	/*
 	 * Reading methods.
 	 */
-
+	
+	@Override
 	public TMessage readMessageBegin() throws TException
 	{
-		int size = readI32();
+		int size;
+		try {
+			size = readI32();
+		} catch ( TTransportException e ) {
+			// Do this to suppress certain SSL handshake errors that result from port scanning and service probing
+			if ( e.getCause() instanceof SSLException ) {
+				String m = e.getCause().getMessage();
+				// We still want SSL errors that help diagnosing more specific SSL errors that relate to actual
+				// SSL handshake attempts, like incompatible TLS versions or ciphers.
+				if ( m.contains( "Remote host terminated the handshake" )
+						|| m.contains( "Unsupported or unrecognized SSL message" ) ) {
+					// Fake an END_OF_FILE exception, as the logException() method in the server class will
+					// ignore there. Let's hope it will stay ignored in the future.
+					throw new TTransportException( TTransportException.END_OF_FILE );
+				}
+			} else if ( e.getMessage().contains( "larger than max length" ) ) {
+				// Also fake, since this one prints a whole stack trace compared to the other
+				// message by AbstractNonblockingServer
+				throw new TTransportException( TTransportException.END_OF_FILE );
+			}
+			throw e;
+		}
 		if ( size > maxLen )
 			throw new TProtocolException( TProtocolException.SIZE_LIMIT, "Payload too big." );
 		if ( size < 0 ) {
@@ -89,24 +112,22 @@ public class TBinaryProtocolSafe extends TBinaryProtocol
 		}
 	}
 
+	@Override
 	public String readString() throws TException
 	{
 		int size = readI32();
 		if ( size > maxLen )
 			throw new TProtocolException( TProtocolException.SIZE_LIMIT, "Payload too big." );
 		if ( trans_.getBytesRemainingInBuffer() >= size ) {
-			try {
-				String s = new String( trans_.getBuffer(), trans_.getBufferPosition(), size, "UTF-8" );
-				trans_.consumeBuffer( size );
-				return s;
-			} catch ( UnsupportedEncodingException e ) {
-				throw new TException( "JVM DOES NOT SUPPORT UTF-8" );
-			}
+			String s = new String( trans_.getBuffer(), trans_.getBufferPosition(), size, StandardCharsets.UTF_8 );
+			trans_.consumeBuffer( size );
+			return s;
 		}
 
 		return readStringBody( size );
 	}
 
+	@Override
 	public ByteBuffer readBinary() throws TException
 	{
 		int size = readI32();
-- 
cgit v1.2.3-55-g7522