Suppress netty logs in strato and add serviceidentifier metrics for failed tls handshakes

Seeing a spike in ssl log errors in strato at the moment due to cert rotation upgrade: https://phabricator.twitter.biz/D1264535

Suppress the pkix logs for strato and add serviceidentifier metrics for failed clients so we can identify clients that are failing tls handshakes

example: sd.tss-staging.staging.test-server.0:https/tls/ssl_exn/twtr:svc:tss-service:admin-service:staging:atla

Differential Revision: https://phabricator.twitter.biz/D1299159

Author: Sai Avala

finagle-netty4/src/main/scala/com/twitter/finagle/netty4/ssl/server/Netty4ServerSslChannelInitializer.scala

@@ -1,16 +1,19 @@
 package com.twitter.finagle.netty4.ssl.server
 
-import com.twitter.finagle.netty4.ssl.{Alpn, Netty4SslHandler}
+import com.twitter.finagle.netty4.ssl.Alpn
+import com.twitter.finagle.netty4.ssl.Netty4SslHandler
 import com.twitter.finagle.param.Stats
-import com.twitter.finagle.ssl.{ApplicationProtocols, Engine}
-import com.twitter.finagle.ssl.server.{
-  SslServerConfiguration,
-  SslServerEngineFactory,
-  SslServerSessionVerifier
-}
+import com.twitter.finagle.ssl.ApplicationProtocols
+import com.twitter.finagle.ssl.Engine
+import com.twitter.finagle.ssl.server.SslServerConfiguration
+import com.twitter.finagle.ssl.server.SslServerEngineFactory
+import com.twitter.finagle.ssl.server.SslServerSessionVerifier
 import com.twitter.finagle.transport.Transport
-import com.twitter.finagle.{Address, Stack}
-import io.netty.channel.{Channel, ChannelInitializer, ChannelPipeline}
+import com.twitter.finagle.Address
+import com.twitter.finagle.Stack
+import io.netty.channel.Channel
+import io.netty.channel.ChannelInitializer
+import io.netty.channel.ChannelPipeline
 import io.netty.handler.ssl.SslHandler
 import java.net.InetSocketAddress
 
@@ -64,7 +67,13 @@ final private[finagle] class Netty4ServerSslChannelInitializer(params: Stack.Par
     config: SslServerConfiguration
   ): SslServerVerificationHandler = {
     val sessionVerifier = params[SslServerSessionVerifier.Param].verifier
-    new SslServerVerificationHandler(sslHandler, remoteAddress, config, sessionVerifier)
+    val statsReceiver = params[Stats].statsReceiver.scope("tls")
+    new SslServerVerificationHandler(
+      sslHandler,
+      remoteAddress,
+      config,
+      sessionVerifier,
+      statsReceiver)
   }
 
   private[this] def addHandlersToPipeline(

finagle-netty4/src/main/scala/com/twitter/finagle/netty4/ssl/server/Netty4ServerSslConfigurations.scala

@@ -90,6 +90,66 @@ private[finagle] object Netty4ServerSslConfigurations {
     Netty4SslConfigurations.unwrapTryContextBuilder(builder)
   }
 
+  /**
+   * Wraps trust credentials to inject service identifier capturing for servers.
+   * This allows us to track which clients fail SSL handshakes even when PKIX validation fails.
+   *
+   * For CertCollection (the common mTLS case), we convert it to a TrustManagerFactory and wrap it.
+   * For TrustManagerFactory, we wrap it directly.
+   * Other types pass through to preserve existing error handling.
+   */
+  private def wrapTrustCredentialsForCapture(
+    trustCredentials: com.twitter.finagle.ssl.TrustCredentials
+  ): com.twitter.finagle.ssl.TrustCredentials = {
+    import com.twitter.util.Try
+    import com.twitter.util.security.X509CertificateFile
+
+    trustCredentials match {
+      case com.twitter.finagle.ssl.TrustCredentials.TrustManagerFactory(factory) =>
+        com.twitter.finagle.ssl.TrustCredentials.TrustManagerFactory(
+          new ServiceIdentifierCapturingTrustManagerFactory(factory)
+        )
+
+      case com.twitter.finagle.ssl.TrustCredentials.CertCollection(file) =>
+        // Convert CertCollection to TrustManagerFactory, then wrap it
+        // This is the common case for mTLS servers using ca-bundle.crt
+        // We use X509CertificateFile for validation, matching Netty's behavior
+        val tmfResult = for {
+          certs <- new X509CertificateFile(file).readX509Certificates()
+          tmf <- Try {
+            val factory = javax.net.ssl.TrustManagerFactory.getInstance(
+              javax.net.ssl.TrustManagerFactory.getDefaultAlgorithm
+            )
+            val ks = java.security.KeyStore.getInstance(java.security.KeyStore.getDefaultType)
+            ks.load(null, null)
+
+            var i = 0
+            certs.foreach { cert =>
+              ks.setCertificateEntry(s"cert-$i", cert)
+              i += 1
+            }
+
+            factory.init(ks)
+            factory
+          }
+        } yield tmf
+
+        // If conversion succeeds, wrap it; otherwise pass through original to let Netty handle the error
+        tmfResult match {
+          case com.twitter.util.Return(tmf) =>
+            com.twitter.finagle.ssl.TrustCredentials.TrustManagerFactory(
+              new ServiceIdentifierCapturingTrustManagerFactory(tmf)
+            )
+          case com.twitter.util.Throw(_) =>
+            // Conversion failed (e.g., empty file, invalid format)
+            // Pass through original CertCollection to preserve existing error handling
+            trustCredentials
+        }
+
+      case other => other // Unspecified, Insecure, X509Certificates - pass through
+    }
+  }
+
   /**
    * Creates an `SslContext` based on the supplied `SslServerConfiguration`. This method uses
    * the `KeyCredentials`, `TrustCredentials`, `CipherSuites`, and `ApplicationProtocols` from the provided
@@ -98,7 +158,9 @@ private[finagle] object Netty4ServerSslConfigurations {
   def createServerContext(config: SslServerConfiguration, forceJdk: Boolean): SslContext = {
     val builder = startServerWithKey(config.keyCredentials)
     val withProvider = Netty4SslConfigurations.configureProvider(builder, forceJdk)
-    val withTrust = Netty4SslConfigurations.configureTrust(withProvider, config.trustCredentials)
+    // Wrap trust credentials to capture service identifiers during cert validation
+    val wrappedTrust = wrapTrustCredentialsForCapture(config.trustCredentials)
+    val withTrust = Netty4SslConfigurations.configureTrust(withProvider, wrappedTrust)
     val withCiphers = config.cipherSuites match {
       case CipherSuites.Enabled(s) => withTrust.ciphers(s.asJava)
       case _ => withTrust

finagle-netty4/src/main/scala/com/twitter/finagle/netty4/ssl/server/ServiceIdentifierCapturingTrustManager.scala

@@ -0,0 +1,116 @@
+package com.twitter.finagle.netty4.ssl.server
+
+import java.net.Socket
+import java.security.cert.X509Certificate
+import javax.net.ssl.SSLEngine
+import javax.net.ssl.X509ExtendedTrustManager
+import javax.net.ssl.X509TrustManager
+
+/**
+ * Context for storing service identifiers extracted during SSL handshake verification.
+ * This is used to preserve the client service identifier even when certificate validation fails.
+ */
+object ServiceIdentifierContext {
+  private val threadLocal = new ThreadLocal[Option[String]]()
+
+  def set(serviceId: Option[String]): Unit = threadLocal.set(serviceId)
+  def get(): Option[String] = Option(threadLocal.get()).flatten
+  def clear(): Unit = threadLocal.remove()
+}
+
+/**
+ * A trust manager that wraps another trust manager and captures the service identifier
+ * from client certificates during verification, before validation occurs.
+ *
+ * This allows us to track which clients are failing SSL handshakes, even when their
+ * certificates fail PKIX path building validation.
+ */
+class ServiceIdentifierCapturingTrustManager(delegate: X509TrustManager)
+    extends X509ExtendedTrustManager {
+
+  /**
+   * Common logic to capture service identifier and delegate to trust manager.
+   * Called by all checkClientTrusted overloads.
+   */
+  private def captureAndVerify(chain: Array[X509Certificate])(verify: => Unit): Unit = {
+    ServiceIdentifierContext.set(ServiceIdentifierExtractor.extractServiceIdentifier(chain))
+    try {
+      verify
+    } finally {
+      // Don't clear here - let the verification handler retrieve it
+    }
+  }
+
+  // Base X509TrustManager method
+  override def checkClientTrusted(chain: Array[X509Certificate], authType: String): Unit = {
+    captureAndVerify(chain) {
+      delegate.checkClientTrusted(chain, authType)
+    }
+  }
+
+  // X509ExtendedTrustManager Socket overload
+  override def checkClientTrusted(
+    chain: Array[X509Certificate],
+    authType: String,
+    socket: Socket
+  ): Unit = {
+    captureAndVerify(chain) {
+      delegate match {
+        case extDelegate: X509ExtendedTrustManager =>
+          extDelegate.checkClientTrusted(chain, authType, socket)
+        case _ =>
+          delegate.checkClientTrusted(chain, authType)
+      }
+    }
+  }
+
+  // X509ExtendedTrustManager SSLEngine overload (used by Netty with OpenSSL)
+  override def checkClientTrusted(
+    chain: Array[X509Certificate],
+    authType: String,
+    engine: SSLEngine
+  ): Unit = {
+    captureAndVerify(chain) {
+      delegate match {
+        case extDelegate: X509ExtendedTrustManager =>
+          extDelegate.checkClientTrusted(chain, authType, engine)
+        case _ =>
+          delegate.checkClientTrusted(chain, authType)
+      }
+    }
+  }
+
+  // Server trust verification - we don't capture service IDs here since we're the server
+  // These methods validate outbound connections (when the server acts as a client)
+  override def checkServerTrusted(chain: Array[X509Certificate], authType: String): Unit = {
+    delegate.checkServerTrusted(chain, authType)
+  }
+
+  override def checkServerTrusted(
+    chain: Array[X509Certificate],
+    authType: String,
+    socket: Socket
+  ): Unit = {
+    delegate match {
+      case extDelegate: X509ExtendedTrustManager =>
+        extDelegate.checkServerTrusted(chain, authType, socket)
+      case _ =>
+        delegate.checkServerTrusted(chain, authType)
+    }
+  }
+
+  override def checkServerTrusted(
+    chain: Array[X509Certificate],
+    authType: String,
+    engine: SSLEngine
+  ): Unit = {
+    delegate match {
+      case extDelegate: X509ExtendedTrustManager =>
+        extDelegate.checkServerTrusted(chain, authType, engine)
+      case _ =>
+        delegate.checkServerTrusted(chain, authType)
+    }
+  }
+
+  override def getAcceptedIssuers: Array[X509Certificate] = delegate.getAcceptedIssuers
+}

finagle-netty4/src/main/scala/com/twitter/finagle/netty4/ssl/server/ServiceIdentifierCapturingTrustManagerFactory.scala

@@ -0,0 +1,39 @@
+package com.twitter.finagle.netty4.ssl.server
+
+import java.security.KeyStore
+import javax.net.ssl.ManagerFactoryParameters
+import javax.net.ssl.TrustManager
+import javax.net.ssl.TrustManagerFactory
+import javax.net.ssl.TrustManagerFactorySpi
+import javax.net.ssl.X509TrustManager
+
+/**
+ * A TrustManagerFactory that wraps another factory and injects ServiceIdentifierCapturingTrustManager
+ * to capture service identifiers during certificate verification.
+ */
+class ServiceIdentifierCapturingTrustManagerFactory(delegate: TrustManagerFactory)
+    extends TrustManagerFactory(
+      new ServiceIdentifierCapturingTrustManagerFactorySpi(delegate),
+      delegate.getProvider,
+      delegate.getAlgorithm
+    )
+
+private class ServiceIdentifierCapturingTrustManagerFactorySpi(delegate: TrustManagerFactory)
+    extends TrustManagerFactorySpi {
+
+  override def engineInit(ks: KeyStore): Unit = {
+    delegate.init(ks)
+  }
+
+  override def engineInit(spec: ManagerFactoryParameters): Unit = {
+    delegate.init(spec)
+  }
+
+  override def engineGetTrustManagers(): Array[TrustManager] = {
+    delegate.getTrustManagers.map {
+      case x509tm: X509TrustManager =>
+        new ServiceIdentifierCapturingTrustManager(x509tm)
+      case other => other
+    }
+  }
+}

finagle-netty4/src/main/scala/com/twitter/finagle/netty4/ssl/server/ServiceIdentifierExtractor.scala

@@ -0,0 +1,80 @@
+package com.twitter.finagle.netty4.ssl.server
+
+import java.net.URI
+import java.security.cert.X509Certificate
+import javax.security.auth.x500.X500Principal
+import scala.util.control.NonFatal
+
+/**
+ * Utility for extracting service identifiers from X.509 certificates.
+ * Supports both SAN URI (preferred) and Common Name (CN) fallback extraction.
+ */
+object ServiceIdentifierExtractor {
+
+  // SAN type constants from X.509
+  private val SAN_URI_TYPE = 6
+  private val SAN_DNS_TYPE = 2
+
+  // Regex to match service identifier in Common Name (CN)
+  private val ServiceIdentifierRegex =
+    "^(?:twtr:svc:)?([a-zA-Z0-9_-]+:[a-zA-Z0-9_-]+:[a-zA-Z0-9_-]+:[a-zA-Z0-9_-]+:[a-zA-Z0-9_-]+(?::[a-zA-Z0-9_-]+)?(?:\\.[a-zA-Z0-9_-]+)*)$".r
+
+  /**
+   * Extracts service identifier from an X.509 certificate chain.
+   *
+   * Extraction order:
+   * 1. SAN URI (type 6) with scheme "twtr:" (preferred per RFC 5280)
+   * 2. Common Name (CN) matching service identifier pattern
+   * 3. Non-mTLS fallback for other CN values
+   *
+   * Expected format: twtr:svc:role:service:environment:zone
+   *
+   * @param chain Array of certificates (uses first certificate)
+   * @return Optional service identifier string, or fallback value
+   */
+  def extractServiceIdentifier(chain: Array[X509Certificate]): Option[String] = {
+    if (chain == null || chain.isEmpty) {
+      return Some("no_peer_cert")
+    }
+
+    try {
+      val cert = chain(0)
+
+      // Try SAN URI first (preferred per RFC 5280)
+      val serviceIdFromSan = Option(cert.getSubjectAlternativeNames).flatMap { sans =>
+        import scala.collection.JavaConverters._
+        sans.asScala.collectFirst {
+          case list if list.size() >= 2 && list.get(0) == SAN_URI_TYPE =>
+            val uriString = list.get(1).toString
+            try {
+              val uri = new URI(uriString)
+              if (uri.getScheme == "twtr" && uri.getSchemeSpecificPart != null) {
+                Some(uriString) // Returns the full URI: twtr:svc:...
+              } else None
+            } catch {
+              case NonFatal(_) => None
+            }
+        }.flatten
+      }
+
+      serviceIdFromSan match {
+        case Some(id) => Some(id)
+        case None =>
+          // Fallback to Common Name (CN)
+          val dn = cert.getSubjectX500Principal.getName(X500Principal.RFC2253)
+          val cn = dn
+            .split(',')
+            .find(_.trim.startsWith("CN="))
+            .map(_.trim.substring(3))
+
+          cn.flatMap {
+              case id if id.startsWith("twtr:svc:") => Some(id) // Already has prefix
+              case ServiceIdentifierRegex(id) => Some(s"twtr:svc:$id") // Add prefix
+              case other => Some(s"non_mtls:${other.take(100)}")
+            }.orElse(Some(s"non_mtls:${dn.take(100)}"))
+      }
+    } catch {
+      case NonFatal(_) => Some("extraction_failed")
+    }
+  }
+}