Suppress attempts to print huge and unreadable SSLHandshake exceptions

kachayev · DerGuteMoritz · commit 619cb999afb3 · 2022-07-30T20:58:00.000+02:00
diff --git a/src/aleph/http/client.clj b/src/aleph/http/client.clj
@@ -100,6 +100,21 @@
           nil))
       (no-url req))))
 
+(defn exception-handler [ctx ex response-stream]
+  (cond
+    ;; could happens when io.netty.handler.codec.http.HttpObjectAggregator
+    ;; is part of the pipeline
+    (instance? TooLongFrameException ex)
+    (s/put! response-stream ex)
+
+    ;; when SSL handshake failed
+    (http/ssl-handshake-error? ex)
+    (let [^Throwable handshake-error (.getCause ^Throwable ex)]
+      (s/put! response-stream handshake-error))
+
+    (not (instance? IOException ex))
+    (log/warn ex "error in HTTP client")))
+
 (defn raw-client-handler
   [response-stream buffer-capacity]
   (let [stream (atom nil)
@@ -117,8 +132,7 @@
 
       :exception-caught
       ([_ ctx ex]
-        (when-not (instance? IOException ex)
-          (log/warn ex "error in HTTP client")))
+        (exception-handler ctx ex response-stream))
 
       :channel-inactive
       ([_ ctx]
@@ -169,14 +183,7 @@
 
       :exception-caught
       ([_ ctx ex]
-        (cond
-          ; could happens when io.netty.handler.codec.http.HttpObjectAggregator
-          ; is part of the pipeline
-          (instance? TooLongFrameException ex)
-          (s/put! response-stream ex)
-
-          (not (instance? IOException ex))
-          (log/warn ex "error in HTTP client")))
+        (exception-handler ctx ex response-stream))
 
       :channel-inactive
       ([_ ctx]
diff --git a/src/aleph/http/core.clj b/src/aleph/http/core.clj
@@ -23,6 +23,7 @@
      ByteBuf]
     [java.nio
      ByteBuffer]
+    [io.netty.handler.codec DecoderException]
     [io.netty.handler.codec.http
      DefaultHttpRequest DefaultLastHttpContent
      DefaultHttpResponse DefaultFullHttpRequest
@@ -61,7 +62,8 @@
      ConcurrentLinkedQueue
      TimeUnit]
     [java.util.concurrent.atomic
-     AtomicBoolean]))
+     AtomicBoolean]
+    [javax.net.ssl SSLHandshakeException]))
 
 (def non-standard-keys
   (let [ks ["Content-MD5"
@@ -682,3 +684,7 @@
              (when (and (identical? ::ping-timeout v)
                         (.isOpen ^Channel (.channel ctx)))
                (netty/close ctx))))))))
+
+(defn ssl-handshake-error? [^Throwable ex]
+  (and (instance? DecoderException ex)
+       (instance? SSLHandshakeException (.getCause ex))))
diff --git a/src/aleph/http/server.clj b/src/aleph/http/server.clj
@@ -209,7 +209,13 @@
                                        (invalid-value-response req rsp))))))))))))
 
 (defn exception-handler [ctx ex]
-  (when-not (instance? IOException ex)
+  (cond
+    ;; do not need to log an entire stack trace when SSL handshake failed
+    (http/ssl-handshake-error? ex)
+    (log/warn "SSL handshake failure:"
+              (.getMessage ^Throwable (.getCause ^Throwable ex)))
+
+    (not (instance? IOException ex))
     (log/warn ex "error in HTTP server")))
 
 (defn invalid-request? [^HttpRequest req]
