Example 1 with SslCloseCompletionEvent
use of io.netty.handler.ssl.SslCloseCompletionEvent in project zuul by Netflix.
the class SslHandshakeInfoHandler method userEventTriggered.
@Override
public void userEventTriggered(ChannelHandlerContext ctx, Object evt) throws Exception {
if (evt instanceof SslHandshakeCompletionEvent) {
try {
SslHandshakeCompletionEvent sslEvent = (SslHandshakeCompletionEvent) evt;
if (sslEvent.isSuccess()) {
CurrentPassport.fromChannel(ctx.channel()).add(PassportState.SERVER_CH_SSL_HANDSHAKE_COMPLETE);
SslHandler sslhandler = ctx.channel().pipeline().get(SslHandler.class);
SSLSession session = sslhandler.engine().getSession();
ClientAuth clientAuth = whichClientAuthEnum(sslhandler);
Certificate serverCert = null;
X509Certificate peerCert = null;
if ((clientAuth == ClientAuth.REQUIRE || clientAuth == ClientAuth.OPTIONAL) && session.getPeerCertificates() != null && session.getPeerCertificates().length > 0) {
peerCert = (X509Certificate) session.getPeerCertificates()[0];
}
if (session.getLocalCertificates() != null && session.getLocalCertificates().length > 0) {
serverCert = session.getLocalCertificates()[0];
}
SslHandshakeInfo info = new SslHandshakeInfo(isSSlFromIntermediary, session.getProtocol(), session.getCipherSuite(), clientAuth, serverCert, peerCert);
ctx.channel().attr(ATTR_SSL_INFO).set(info);
// Metrics.
incrementCounters(sslEvent, info);
logger.debug("Successful SSL Handshake: {}", info);
} else {
String clientIP = ctx.channel().attr(SourceAddressChannelHandler.ATTR_SOURCE_ADDRESS).get();
Throwable cause = sslEvent.cause();
PassportState passportState = CurrentPassport.fromChannel(ctx.channel()).getState();
if (cause instanceof ClosedChannelException && (PassportState.SERVER_CH_INACTIVE.equals(passportState) || PassportState.SERVER_CH_IDLE_TIMEOUT.equals(passportState))) {
// Either client closed the connection without/before having completed a handshake, or
// the connection idle timed-out before handshake.
// NOTE: we were seeing a lot of these in prod and can repro by just telnetting to port and then closing terminal
// without sending anything.
// So don't treat these as SSL handshake failures.
logger.debug("Client closed connection or it idle timed-out without doing an ssl handshake. " + ", client_ip = " + clientIP + ", channel_info = " + ChannelUtils.channelInfoForLogging(ctx.channel()));
} else if (cause instanceof SSLException && cause.getMessage().contains("handshake timed out")) {
logger.debug("Client timed-out doing the ssl handshake. " + ", client_ip = " + clientIP + ", channel_info = " + ChannelUtils.channelInfoForLogging(ctx.channel()));
} else if (cause instanceof SSLException && cause.getMessage().contains("failure when writing TLS control frames")) {
// This can happen if the ClientHello is sent followed by a RST packet, before we can respond.
logger.debug("Client terminated handshake early." + ", client_ip = " + clientIP + ", channel_info = " + ChannelUtils.channelInfoForLogging(ctx.channel()));
} else {
String msg = "Unsuccessful SSL Handshake: " + sslEvent + ", client_ip = " + clientIP + ", channel_info = " + ChannelUtils.channelInfoForLogging(ctx.channel()) + ", error = " + cause;
if (cause instanceof ClosedChannelException) {
logger.debug(msg);
} else {
logger.debug(msg, cause);
}
incrementCounters(sslEvent, null);
}
}
} catch (Throwable e) {
logger.warn("Error getting the SSL handshake info.", e);
} finally {
// Now remove this handler from the pipeline as no longer needed once the ssl handshake has completed.
ctx.pipeline().remove(this);
}
} else if (evt instanceof SslCloseCompletionEvent) {
// TODO - increment a separate metric for this event?
} else if (evt instanceof SniCompletionEvent) {
logger.debug("SNI Parsing Complete: {}", evt);
SniCompletionEvent sniCompletionEvent = (SniCompletionEvent) evt;
if (sniCompletionEvent.isSuccess()) {
spectatorRegistry.counter("zuul.sni.parse.success").increment();
} else {
Throwable cause = sniCompletionEvent.cause();
spectatorRegistry.counter("zuul.sni.parse.failure", "cause", cause != null ? cause.getMessage() : "UNKNOWN").increment();
}
}
super.userEventTriggered(ctx, evt);
}
Also used :
ClosedChannelException(java.nio.channels.ClosedChannelException)
SslHandshakeCompletionEvent(io.netty.handler.ssl.SslHandshakeCompletionEvent)
SniCompletionEvent(io.netty.handler.ssl.SniCompletionEvent)
SSLSession(javax.net.ssl.SSLSession)
ClientAuth(io.netty.handler.ssl.ClientAuth)
SSLException(javax.net.ssl.SSLException)
SslHandler(io.netty.handler.ssl.SslHandler)
X509Certificate(java.security.cert.X509Certificate)
PassportState(com.netflix.zuul.passport.PassportState)
SslHandshakeInfo(com.netflix.netty.common.ssl.SslHandshakeInfo)
SslCloseCompletionEvent(io.netty.handler.ssl.SslCloseCompletionEvent)
X509Certificate(java.security.cert.X509Certificate)
Certificate(java.security.cert.Certificate)
Example 2 with SslCloseCompletionEvent
use of io.netty.handler.ssl.SslCloseCompletionEvent in project web3sdk by FISCO-BCOS.
the class ChannelHandler method userEventTriggered.
@Override
public void userEventTriggered(ChannelHandlerContext ctx, Object evt) throws Exception {
String host = ((SocketChannel) ctx.channel()).remoteAddress().getAddress().getHostAddress();
Integer port = ((SocketChannel) ctx.channel()).remoteAddress().getPort();
if (evt instanceof IdleStateEvent) {
IdleStateEvent e = (IdleStateEvent) evt;
switch(e.state()) {
case READER_IDLE:
case WRITER_IDLE:
case ALL_IDLE:
logger.error(" idle state event:{} connect{}:{} long time Inactive,disconnect", e.state(), host, port);
channelInactive(ctx);
ctx.disconnect();
ctx.close();
break;
default:
break;
}
} else if (evt instanceof SslHandshakeCompletionEvent) {
SslHandshakeCompletionEvent e = (SslHandshakeCompletionEvent) evt;
if (e.isSuccess()) {
logger.info(" handshake success, host: {}, port: {}, ctx: {}", host, port, System.identityHashCode(ctx));
ChannelHandlerContext oldCtx = connections.setAndGetNetworkConnectionByHost(host, port, ctx);
connections.getCallback().onConnect(ctx);
if (Objects.nonNull(oldCtx)) {
oldCtx.close();
oldCtx.disconnect();
logger.warn(" disconnect old connection, host: {}, port: {}, ctx: {}", host, port, System.identityHashCode(ctx));
}
} else {
logger.error(" handshake failed, host: {}, port: {}, message: {}, cause: {} ", host, port, e.cause().getMessage(), e.cause());
ctx.disconnect();
ctx.close();
}
} else if (evt instanceof SslCloseCompletionEvent) {
logger.info(" ssl close completion event, host: {}, port: {}, ctx: {} ", host, port, System.identityHashCode(ctx));
} else {
logger.info(" userEventTriggered event, host: {}, port: {}, evt: {}, ctx: {} ", host, port, evt, System.identityHashCode(ctx));
}
}
Also used :
IdleStateEvent(io.netty.handler.timeout.IdleStateEvent)
SocketChannel(io.netty.channel.socket.SocketChannel)
SslCloseCompletionEvent(io.netty.handler.ssl.SslCloseCompletionEvent)
SslHandshakeCompletionEvent(io.netty.handler.ssl.SslHandshakeCompletionEvent)
ChannelHandlerContext(io.netty.channel.ChannelHandlerContext)
Aggregations
SslCloseCompletionEvent (io.netty.handler.ssl.SslCloseCompletionEvent)2
SslHandshakeCompletionEvent (io.netty.handler.ssl.SslHandshakeCompletionEvent)2
SslHandshakeInfo (com.netflix.netty.common.ssl.SslHandshakeInfo)1
PassportState (com.netflix.zuul.passport.PassportState)1
ChannelHandlerContext (io.netty.channel.ChannelHandlerContext)1
SocketChannel (io.netty.channel.socket.SocketChannel)1
ClientAuth (io.netty.handler.ssl.ClientAuth)1
SniCompletionEvent (io.netty.handler.ssl.SniCompletionEvent)1
SslHandler (io.netty.handler.ssl.SslHandler)1
IdleStateEvent (io.netty.handler.timeout.IdleStateEvent)1
ClosedChannelException (java.nio.channels.ClosedChannelException)1
Certificate (java.security.cert.Certificate)1
X509Certificate (java.security.cert.X509Certificate)1
SSLException (javax.net.ssl.SSLException)1
SSLSession (javax.net.ssl.SSLSession)1
