This is an automated email from the ASF dual-hosted git repository. albumenj pushed a commit to branch 3.3 in repository https://gitbox.apache.org/repos/asf/dubbo.git
commit 2af3a91ae6b013f8500288e5e4d36a083232da93 Merge: 6725e2d5ea a35af2742a Author: Albumen Kevin <[email protected]> AuthorDate: Thu May 29 14:33:09 2025 +0800 Merge branch 'apache-3.2' into apache-3.3 .../client/ServiceDiscoveryRegistryDirectory.java | 11 ++++++++ .../registry/integration/RegistryDirectory.java | 11 ++++++++ .../netty4/NettyPortUnificationServerHandler.java | 30 ++++++++++++++++++++-- 3 files changed, 50 insertions(+), 2 deletions(-) diff --cc dubbo-remoting/dubbo-remoting-netty4/src/main/java/org/apache/dubbo/remoting/transport/netty4/NettyPortUnificationServerHandler.java index 2f08d22030,e5c706dad9..ce23587b05 --- a/dubbo-remoting/dubbo-remoting-netty4/src/main/java/org/apache/dubbo/remoting/transport/netty4/NettyPortUnificationServerHandler.java +++ b/dubbo-remoting/dubbo-remoting-netty4/src/main/java/org/apache/dubbo/remoting/transport/netty4/NettyPortUnificationServerHandler.java @@@ -122,10 -122,69 +124,29 @@@ public class NettyPortUnificationServer ProviderCert providerConnectionConfig = certManager.getProviderConnectionConfig(url, ctx.channel().remoteAddress()); - if (providerConnectionConfig != null && isSsl(in)) { - enableSsl(ctx, providerConnectionConfig); + if (providerConnectionConfig != null && canDetectSsl(in)) { + if (isSsl(in)) { + enableSsl(ctx, providerConnectionConfig); + } else { + // check server should load TLS or not + if (providerConnectionConfig.getAuthPolicy() != AuthPolicy.NONE) { + byte[] preface = new byte[in.readableBytes()]; + in.readBytes(preface); + LOGGER.error( + CONFIG_SSL_CONNECT_INSECURE, + "client request server without TLS", + "", + String.format( + "Downstream=%s request without TLS preface, but server require it. " + "preface=%s", + ctx.channel().remoteAddress(), Bytes.bytes2hex(preface))); + + // Untrusted connection; discard everything and close the connection. + in.clear(); + ctx.close(); + } + } } else { - Set<String> supportedProtocolNames = new HashSet<>(protocols.keySet()); - supportedProtocolNames.retainAll(urlMapper.keySet()); - - for (final String name : supportedProtocolNames) { - WireProtocol protocol = protocols.get(name); - in.markReaderIndex(); - ChannelBuffer buf = new NettyBackedChannelBuffer(in); - final ProtocolDetector.Result result = protocol.detector().detect(buf); - in.resetReaderIndex(); - switch (result) { - case UNRECOGNIZED: - continue; - case RECOGNIZED: - ChannelHandler localHandler = this.handlerMapper.getOrDefault(name, handler); - URL localURL = this.urlMapper.getOrDefault(name, url); - channel.setUrl(localURL); - NettyConfigOperator operator = new NettyConfigOperator(channel, localHandler); - protocol.configServerProtocolHandler(url, operator); - ctx.pipeline().remove(this); - case NEED_MORE_DATA: - return; - default: - return; - } - } - byte[] preface = new byte[in.readableBytes()]; - in.readBytes(preface); - Set<String> supported = url.getApplicationModel() - .getExtensionLoader(WireProtocol.class) - .getSupportedExtensions(); - LOGGER.error( - INTERNAL_ERROR, - "unknown error in remoting module", - "", - String.format( - "Can not recognize protocol from downstream=%s . " + "preface=%s protocols=%s", - ctx.channel().remoteAddress(), Bytes.bytes2hex(preface), supported)); - - // Unknown protocol; discard everything and close the connection. - in.clear(); - ctx.close(); + detectProtocol(ctx, url, channel, in); } }
