package org.elasticsearch.xpack.core.security.transport;

import java.util.function.BiConsumer;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.elasticsearch.common.component.Lifecycle;
import org.elasticsearch.common.network.CloseableChannel;
import org.elasticsearch.transport.TcpChannel;

/* loaded from: input_file:org/elasticsearch/xpack/core/security/transport/SecurityTransportExceptionHandler.class */
public final class SecurityTransportExceptionHandler implements BiConsumer<TcpChannel, Exception> {
    private final Lifecycle lifecycle;
    private final Logger logger;
    private final BiConsumer<TcpChannel, Exception> fallback;

    public SecurityTransportExceptionHandler(Logger logger, Lifecycle lifecycle, BiConsumer<TcpChannel, Exception> biConsumer) {
        this.lifecycle = lifecycle;
        this.logger = logger;
        this.fallback = biConsumer;
    }

    @Override // java.util.function.BiConsumer
    public void accept(TcpChannel tcpChannel, Exception exc) {
        if (!this.lifecycle.started()) {
            CloseableChannel.closeChannel(tcpChannel);
            return;
        }
        if (SSLExceptionHelper.isNotSslRecordException(exc)) {
            if (this.logger.isTraceEnabled()) {
                this.logger.trace(new ParameterizedMessage("received plaintext traffic on an encrypted channel, closing connection {}", tcpChannel), exc);
            } else {
                this.logger.warn("received plaintext traffic on an encrypted channel, closing connection {}", tcpChannel);
            }
            CloseableChannel.closeChannel(tcpChannel);
            return;
        }
        if (SSLExceptionHelper.isCloseDuringHandshakeException(exc)) {
            if (this.logger.isTraceEnabled()) {
                this.logger.trace(new ParameterizedMessage("connection {} closed during ssl handshake", tcpChannel), exc);
            } else {
                this.logger.debug("connection {} closed during handshake", tcpChannel);
            }
            CloseableChannel.closeChannel(tcpChannel);
            return;
        }
        if (!SSLExceptionHelper.isReceivedCertificateUnknownException(exc)) {
            this.fallback.accept(tcpChannel, exc);
            return;
        }
        if (this.logger.isTraceEnabled()) {
            this.logger.trace(new ParameterizedMessage("client did not trust server's certificate, closing connection {}", tcpChannel), exc);
        } else {
            this.logger.warn("client did not trust this server's certificate, closing connection {}", tcpChannel);
        }
        CloseableChannel.closeChannel(tcpChannel);
    }
}
