Downgrades untrusted ssl certificates log error to info (#145488)

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Fix #35004
elastic · Nov 19, 2022 · 207ba42 · 207ba42
1 parent 6f5baad
commit 207ba42
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 5 deletions.
diff --git a/packages/kbn-legacy-logging/src/log_interceptor.test.ts b/packages/kbn-legacy-logging/src/log_interceptor.test.ts
@@ -150,4 +150,20 @@ describe('server logging LogInterceptor', () => {
       expect(interceptor.downgradeIfEcanceled(event)).toBe(null);
     });
   });
+
+  describe('#downgradeIfCertUntrusted', () => {
+    it('transforms https requests when serving untrusted https errors', () => {
+      const message =
+        '4584650176:error:1408F09C:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/ssl3_record.c:322:\n';
+      const interceptor = new LogInterceptor();
+      const event = stubClientErrorEvent({ message });
+      assertDowngraded(interceptor.downgradeIfCertUntrusted(event)!);
+    });
+
+    it('ignores non events', () => {
+      const interceptor = new LogInterceptor();
+      const event = stubClientErrorEvent({ message: 'Not error' });
+      expect(interceptor.downgradeIfEcanceled(event)).toBe(null);
+    });
+  });
 });
diff --git a/packages/kbn-legacy-logging/src/log_interceptor.ts b/packages/kbn-legacy-logging/src/log_interceptor.ts
@@ -16,6 +16,12 @@ import { AnyEvent } from './log_events';
  */
 const OPENSSL_GET_RECORD_REGEX = /ssl3_get_record:http/;
 
+/**
+ * Matches error messages when clients connect via HTTPS and Kibana doesn't trust the certificate; Warning: the exact errors are numerous and can change when Node
+ * and its bundled OpenSSL binary are upgraded.
+ */
+const OPENSSL_READ_RECORD_REGEX = /ssl3_read_bytes:sslv3/;
+
 function doTagsMatch(event: AnyEvent, tags: string[]) {
   return isEqual(event.tags, tags);
 }
@@ -54,11 +60,11 @@ function downgradeIfErrorType(errorType: string, event: AnyEvent) {
   };
 }
 
-function downgradeIfErrorMessage(match: RegExp | string, event: AnyEvent) {
+// generic method to convert the given event into the log level provided
+function downgradeIfErrorMessage(match: RegExp | string, level: string, event: AnyEvent) {
   const isClientError = doTagsMatch(event, ['connection', 'client', 'error']);
   const errorMessage = get(event, 'error.message');
   const matchesErrorMessage = isClientError && doesMessageMatch(errorMessage, match);
-
   if (!matchesErrorMessage) {
     return null;
   }
@@ -67,7 +73,7 @@ function downgradeIfErrorMessage(match: RegExp | string, event: AnyEvent) {
     event: 'log',
     pid: event.pid,
     timestamp: event.timestamp,
-    tags: ['debug', 'connection'],
+    tags: [level, 'connection'],
     data: errorMessage,
   };
 }
@@ -126,8 +132,33 @@ export class LogInterceptor extends Stream.Transform {
     return downgradeIfErrorType('HPE_INVALID_METHOD', event);
   }
 
+  /**
+   * When Kibana has HTTPS enabled, but a client tries to connect over HTTP,
+   * the client gets an empty response and an error surfaces in the logs.
+   * These logs are not useful unless you are trying to debug edge-case
+   * behaviors.
+   *
+   *  For that reason, we downgrade this from error to debug level
+   * See https://github.com/elastic/kibana/issues/77391
+   *
+   *  @param {object} - log event
+   */
   downgradeIfHTTPWhenHTTPS(event: AnyEvent) {
-    return downgradeIfErrorMessage(OPENSSL_GET_RECORD_REGEX, event);
+    return downgradeIfErrorMessage(OPENSSL_GET_RECORD_REGEX, 'debug', event);
+  }
+  /**
+   * When Kibana has HTTPS enabled and Kibana doesn't trust the certificate,
+   * an error surfaces in the logs.
+   * These error logs are not useful and can give the impression that
+   * Kibana is doing something wrong when it's the client that's doing it wrong.
+   *
+   *  For that reason, we downgrade this from error to info level
+   * See https://github.com/elastic/kibana/issues/35004
+   *
+   *  @param {object} - log event
+   */
+  downgradeIfCertUntrusted(event: AnyEvent) {
+    return downgradeIfErrorMessage(OPENSSL_READ_RECORD_REGEX, 'info', event);
   }
 
   _transform(event: AnyEvent, enc: string, next: Stream.TransformCallback) {
@@ -136,7 +167,8 @@ export class LogInterceptor extends Stream.Transform {
       this.downgradeIfEpipe(event) ||
       this.downgradeIfEcanceled(event) ||
       this.downgradeIfHTTPSWhenHTTP(event) ||
-      this.downgradeIfHTTPWhenHTTPS(event);
+      this.downgradeIfHTTPWhenHTTPS(event) ||
+      this.downgradeIfCertUntrusted(event);
 
     this.push(downgraded || event);
     next();