Constant Log Spam "fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?"

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Constant Log Spam "fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?"

johnhd
This post was updated on .
Hi All,

I'm troubleshooting an issue in CONNECT 4.4.1 that lies somewhere in the SSL/networking neverland and I turned HTTP Access Logging (touched on in this guide; https://connectopensource.atlassian.net/wiki/display/CONNECTWIKI/Customization+parameters+for+Glassfish+deployments)   *AND*  the SSL Certpath and Handshake debug logging per this guide:

https://connectopensource.atlassian.net/wiki/display/CONNECTWIKI/SSL+Handshake

<jvm-options>-Djavax.net.debug=ssl:handshake:verbose</jvm-options>
<jvm-options>-Djava.security.debug=certpath</jvm-options>

As soon as I did (and restarted) I've been getting NONSTOP spam in my logs like this.

NOTE: This is a dev environment without any traffic.

[#|2016-09-13T16:05:03.728-0500|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=246;_ThreadName=Thread-2;|http-thread-pool-4437(6)|#]

[#|2016-09-13T16:05:03.728-0500|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=246;_ThreadName=Thread-2;|, SEND TLSv1 ALERT:  |#]

[#|2016-09-13T16:05:03.728-0500|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=246;_ThreadName=Thread-2;|fatal, |#]

[#|2016-09-13T16:05:03.728-0500|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=246;_ThreadName=Thread-2;|description = internal_error|#]

[#|2016-09-13T16:05:03.728-0500|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=246;_ThreadName=Thread-2;|http-thread-pool-4437(6), Exception sending alert: java.io.IOException: writer side was already closed.|#]

[#|2016-09-13T16:05:05.889-0500|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=247;_ThreadName=Thread-2;|Using SSLEngineImpl.|#]

[#|2016-09-13T16:05:05.890-0500|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=247;_ThreadName=Thread-2;|http-thread-pool-4437(7), called closeInbound()|#]

[#|2016-09-13T16:05:05.890-0500|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=247;_ThreadName=Thread-2;|http-thread-pool-4437(7), closeInboundInternal()|#]

[#|2016-09-13T16:05:05.890-0500|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=247;_ThreadName=Thread-2;|http-thread-pool-4437(7), closeOutboundInternal()|#]

[#|2016-09-13T16:05:05.890-0500|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=247;_ThreadName=Thread-2;|http-thread-pool-4437(7), called closeInbound()|#]

[#|2016-09-13T16:05:05.890-0500|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=247;_ThreadName=Thread-2;|http-thread-pool-4437(7), fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?
javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?|#]

My question: is this normal? What could be causing this? I've been googling without much luck.

EDIT: UPDATE

I've configured a different CONNECT 4.4.1 environment the same way and I see no such spam.

The difference between these two environments is that this one is hosted somewhere I have full control (and am able to establish connections to other boxes OK, etc.) whereas the one I am asking about is hosted in a different environment and experiencing unusual errors (unexpected "unknown_certificate" and "emote host closed connection during handshake" errors when attempting outbound connections) which caused me to turn on this logging in the first place.

Reply | Threaded
Open this post in threaded view
|

Re: Constant Log Spam "fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?"

Sovann Huynh
Administrator
Hi John,

Our initial suspicion is that it is attempting to download the UDDI file at a time interval specified in the system's gateway.properties. If the certificate is invalid, it throws the SSL handshake error and with JAVA debugging on, it will write those errors to the server log every time an UDDI download is attempted. Hope that helps!
Sovann
CONNECT Product Team Member