Skip to content

iostream: downgrade the SSL handshake-error log to INFO#3676

Open
HrachShah wants to merge 1 commit into
tornadoweb:masterfrom
HrachShah:fix/iostream-ssl-handshake-log-level
Open

iostream: downgrade the SSL handshake-error log to INFO#3676
HrachShah wants to merge 1 commit into
tornadoweb:masterfrom
HrachShah:fix/iostream-ssl-handshake-log-level

Conversation

@HrachShah

Copy link
Copy Markdown

Closes #3347.

The SSLIOStream handshake-error log was emitted at WARNING level, but
the events that cause it are almost always out of the server's control:

  • A client connects with a self-signed or otherwise invalid certificate
    and fails validation. The TLS alert the client sends back then
    causes the server's handshake to fail with SSL_ERROR_SSL or
    SSL_ERROR_SYSCALL, which is what gets logged. The application
    cannot prevent the client from doing this.
  • A TCP port scanner (nmap -sT, plain nc -z) connects and resets
    the socket before do_handshake completes.

In all of these cases the operator does not need to be warned; the
event is a normal occurrence on a server that is exposed to the
internet. Downgrading the log to INFO matches the level already
used for similar client-driven noise such as "Unsatisfiable read,
closing connection" and "Connect error". Applications that want
to surface a warning can install their own handler at the INFO
level.

The server-side error path still closes the connection and surfaces
the underlying exception via close(exc_info=err), so callers that
do care about a specific failure have not lost any information.

Tests:

  • TestIOStreamStartTLS.test_handshake_fail and
    TestIOStreamStartTLS.test_check_hostname: now pass level=
    logging.INFO on their ExpectLog blocks because the SSL Error
    message is emitted at INFO instead of WARNING.
  • TestIOStreamCheckHostname.test_no_match: the "alert bad
    certificate" ExpectLog on the server side is now expected at
    INFO.

The SSL handshake-error branch in SSLIOStream._do_ssl_handshake fires
on a variety of remote conditions that the application cannot
control:

  - a client that fails to validate the server's certificate sends a
    tls alert, and the server's handshake then raises and logs here
  - a client that drops the connection before speaking TLS
    (SSL_ERROR_EOF / SSL_ERROR_ZERO_RETURN) which lands in the
    SSL_ERROR_SSL branch via SSL_ERROR_SYSCALL
  - premature closes from port scanners and other uninvited probes

None of these are a problem with the server. They were logged at
WARNING, which suggests to the operator that something is wrong on
their end, but the only thing the operator can do is configure
certificate validation more strictly, which does not change the
volume of these messages. Drop the level to INFO so the application
can opt in to the messages if it cares, and the default operator
view is not polluted by clients making bad requests.

Three existing tests expected the old WARNING level via ExpectLog;
update them to pass level=logging.INFO so the message is still
captured (ExpectLog without an explicit level is becoming a
DeprecationWarning match in Tornado 7.0 anyway).

Fixes tornadoweb#3347.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

iostream: SSL logging is too noisy

1 participant