uuuyuqi opened a new issue, #16373: URL: https://github.com/apache/dubbo/issues/16373
### Pre-check - [x] I am sure that all the content I provide in English is directly translated by me and not produced by machine translation. ### Search before asking - [x] I have searched in the [issues](https://github.com/apache/dubbo/issues) and found no similar issues. ### Apache Dubbo Component Java SDK (apache/dubbo) ### Dubbo Version Latest `3.3` branch, HEAD `316df8e57677cc8c1ed6d92bd40ca0daba27393f` (`3.3.7-SNAPSHOT`). ### Steps to reproduce this issue 1. Enable port unification on the provider side. 2. Configure a `CertProvider` that returns a `ProviderCert` with `AuthPolicy.NONE`, which means TLS is allowed but not required. 3. Send a plaintext Dubbo request to the port-unification port. The first bytes are non-TLS, for example the Dubbo magic bytes `0xda 0xbb`. 4. `NettyPortUnificationServerHandler` enters the TLS-detection branch because provider TLS config exists and enough bytes are available for SSL detection. 5. Since the first packet is not TLS and `AuthPolicy` is `NONE`, the current handler neither closes the channel nor continues with plaintext protocol detection. ### What you expected to happen When `AuthPolicy.NONE` is configured, a non-TLS first packet should be treated as a permitted plaintext connection and should continue through port-unification protocol detection. ### What actually happened The plaintext `WireProtocol` detector is not invoked. The connection remains open and waits for more data, so a plaintext Dubbo consumer can hang or time out when it connects to a provider that uses port unification with optional TLS. ### Anything else The root cause is in `NettyPortUnificationServerHandler#decode`. When provider TLS config exists and the inbound bytes are enough for SSL detection, the handler checks: - TLS first packet: enable SSL. - Non-TLS first packet with `AuthPolicy` not equal to `NONE`: log and close. - Non-TLS first packet with `AuthPolicy.NONE`: no action is taken and the code does not fall through to `detectProtocol(...)`. I have a regression test that reproduces the issue on current `3.3`: before the fix, the test fails because the plaintext detector is called `0` times instead of `1` time. I will submit a pull request with the fix and the regression test. ### Are you willing to submit a PR? - [x] Yes, I am willing to submit a PR! ### Code of Conduct - [x] I agree to follow this project's Code of Conduct. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
