This is an automated email from the ASF dual-hosted git repository.
albumenj pushed a commit to branch 3.2
in repository https://gitbox.apache.org/repos/asf/dubbo.git
The following commit(s) were added to refs/heads/3.2 by this push:
new fc5f066b25 Port unification support reject if client not TLS (#15352)
fc5f066b25 is described below
commit fc5f066b25055f0a4c078f592b78849438e588cc
Author: Albumen Kevin <[email protected]>
AuthorDate: Wed May 7 09:36:21 2025 +0800
Port unification support reject if client not TLS (#15352)
---
.../netty4/NettyPortUnificationServerHandler.java | 30 ++++++++++++++++++++--
1 file changed, 28 insertions(+), 2 deletions(-)
diff --git
a/dubbo-remoting/dubbo-remoting-netty4/src/main/java/org/apache/dubbo/remoting/transport/netty4/NettyPortUnificationServerHandler.java
b/dubbo-remoting/dubbo-remoting-netty4/src/main/java/org/apache/dubbo/remoting/transport/netty4/NettyPortUnificationServerHandler.java
index 9b1ccd1d1d..e5c706dad9 100644
---
a/dubbo-remoting/dubbo-remoting-netty4/src/main/java/org/apache/dubbo/remoting/transport/netty4/NettyPortUnificationServerHandler.java
+++
b/dubbo-remoting/dubbo-remoting-netty4/src/main/java/org/apache/dubbo/remoting/transport/netty4/NettyPortUnificationServerHandler.java
@@ -20,6 +20,7 @@ import org.apache.dubbo.common.URL;
import org.apache.dubbo.common.io.Bytes;
import org.apache.dubbo.common.logger.ErrorTypeAwareLogger;
import org.apache.dubbo.common.logger.LoggerFactory;
+import org.apache.dubbo.common.ssl.AuthPolicy;
import org.apache.dubbo.common.ssl.CertManager;
import org.apache.dubbo.common.ssl.ProviderCert;
import org.apache.dubbo.remoting.ChannelHandler;
@@ -45,6 +46,7 @@ import io.netty.handler.ssl.SslHandler;
import io.netty.handler.ssl.SslHandshakeCompletionEvent;
import io.netty.util.AttributeKey;
+import static
org.apache.dubbo.common.constants.LoggerCodeConstants.CONFIG_SSL_CONNECT_INSECURE;
import static
org.apache.dubbo.common.constants.LoggerCodeConstants.INTERNAL_ERROR;
public class NettyPortUnificationServerHandler extends ByteToMessageDecoder {
@@ -120,8 +122,27 @@ public class NettyPortUnificationServerHandler extends
ByteToMessageDecoder {
ProviderCert providerConnectionConfig =
certManager.getProviderConnectionConfig(url,
ctx.channel().remoteAddress());
- if (providerConnectionConfig != null && isSsl(in)) {
- enableSsl(ctx, providerConnectionConfig);
+ if (providerConnectionConfig != null && canDetectSsl(in)) {
+ if (isSsl(in)) {
+ enableSsl(ctx, providerConnectionConfig);
+ } else {
+ // check server should load TLS or not
+ if (providerConnectionConfig.getAuthPolicy() !=
AuthPolicy.NONE) {
+ byte[] preface = new byte[in.readableBytes()];
+ in.readBytes(preface);
+ LOGGER.error(
+ CONFIG_SSL_CONNECT_INSECURE,
+ "client request server without TLS",
+ "",
+ String.format(
+ "Downstream=%s request without TLS
preface, but server require it. " + "preface=%s",
+ ctx.channel().remoteAddress(),
Bytes.bytes2hex(preface)));
+
+ // Untrusted connection; discard everything and close the
connection.
+ in.clear();
+ ctx.close();
+ }
+ }
} else {
Set<String> supportedProtocolNames = new
HashSet<>(protocols.keySet());
supportedProtocolNames.retainAll(urlMapper.keySet());
@@ -177,6 +198,11 @@ public class NettyPortUnificationServerHandler extends
ByteToMessageDecoder {
p.remove(this);
}
+ private boolean canDetectSsl(ByteBuf buf) {
+ // at least 5 bytes to determine if data is encrypted
+ return detectSsl && buf.readableBytes() >= 5;
+ }
+
private boolean isSsl(ByteBuf buf) {
// at least 5 bytes to determine if data is encrypted
if (detectSsl && buf.readableBytes() >= 5) {
