To reproduce, apply the diff and run ClientSSLTest#testSecureStandaloneServer() test. The logs would show that a valid session was created before connection was rejected and client had to retry
What should have happened:
Server should instantly close the client's connection and NOT process any request.
Malicious clients may be able to put unnecessary load/traffic on the leader by creating these sessions.
In CertificateVerifier#operationComplete(), `addCnxn(cnxn)` method is only called after auth is completed. NettyServerCnxn#close() returns as a no-op here.
I see this as an issue. Please assess the risk and let me know if this is a legit behavior or not.