Agent Diagnostic
- Traced the TLS accept handler in
crates/openshell-server/src/lib.rs:210-222
- Found
is_benign_tls_handshake_failure() at lines 77-82 only classifies UnexpectedEof and ConnectionReset as benign
- The route-refresh task in
crates/openshell-sandbox/src/lib.rs:1067-1126 runs every 5 seconds (DEFAULT_ROUTE_REFRESH_INTERVAL_SECS = 5)
- When the sandbox gRPC client uses a plaintext endpoint but the server listens on TLS, rustls emits
InvalidContentType — this is not in the benign list
- Result: ERROR-level log every 5 seconds, filling logs with noise
Description
The OpenShell server's TLS accept handler logs every InvalidContentType error at ERROR level. This error occurs when a plaintext client connects to the TLS listener — typically the sandbox's route-refresh gRPC client when there's a protocol mismatch.
Since the route-refresh task runs every 5 seconds, this creates a flood of:
ERROR openshell_server: TLS handshake failed
error=received corrupt message of type InvalidContentType client=10.42.0.1:*
The is_benign_tls_handshake_failure() check at lib.rs:77-82 correctly classifies UnexpectedEof and ConnectionReset as benign (logged at DEBUG), but InvalidContentType is not classified, so it logs at ERROR.
This is noisy but not actionable — it's a known protocol mismatch, not a security issue.
Reproduction Steps
- Start a gateway with TLS enabled (default)
- Have a sandbox running with route-refresh active
- Check gateway logs:
openshell sandbox logs <name> or pod logs
- Observe ERROR-level
TLS handshake failed entries every ~5-6 seconds
Environment
- All platforms where TLS is enabled (default)
- Not platform-specific
Proposed Fix
Extend is_benign_tls_handshake_failure() to match errors containing InvalidContentType or corrupt message:
fn is_benign_tls_handshake_failure(error: &std::io::Error) -> bool {
if matches!(
error.kind(),
ErrorKind::UnexpectedEof | ErrorKind::ConnectionReset
) {
return true;
}
let msg = error.to_string();
msg.contains("InvalidContentType") || msg.contains("corrupt message")
}This demotes the log from ERROR to DEBUG without hiding genuine TLS errors (expired certs, wrong hostnames produce different error types).
Agent-First Checklist
Agent Diagnostic
crates/openshell-server/src/lib.rs:210-222is_benign_tls_handshake_failure()at lines 77-82 only classifiesUnexpectedEofandConnectionResetas benigncrates/openshell-sandbox/src/lib.rs:1067-1126runs every 5 seconds (DEFAULT_ROUTE_REFRESH_INTERVAL_SECS = 5)InvalidContentType— this is not in the benign listDescription
The OpenShell server's TLS accept handler logs every
InvalidContentTypeerror at ERROR level. This error occurs when a plaintext client connects to the TLS listener — typically the sandbox's route-refresh gRPC client when there's a protocol mismatch.Since the route-refresh task runs every 5 seconds, this creates a flood of:
The
is_benign_tls_handshake_failure()check atlib.rs:77-82correctly classifiesUnexpectedEofandConnectionResetas benign (logged at DEBUG), butInvalidContentTypeis not classified, so it logs at ERROR.This is noisy but not actionable — it's a known protocol mismatch, not a security issue.
Reproduction Steps
openshell sandbox logs <name>or pod logsTLS handshake failedentries every ~5-6 secondsEnvironment
Proposed Fix
Extend
is_benign_tls_handshake_failure()to match errors containingInvalidContentTypeorcorrupt message:This demotes the log from ERROR to DEBUG without hiding genuine TLS errors (expired certs, wrong hostnames produce different error types).
Agent-First Checklist
debug-openshell-cluster,debug-inference,openshell-cli)