net/http: HTTPS requests when the server does not support it -> record overflow #11111
Comments
|
The crypto/tls package will try to parse the response
"HTTP/1.1 400 Bad Request\r\n\r\n" as a TLS record,
which it failed.
I don't thinking we can do any better. crypto/tls is
not HTTPS specific, so it doesn't make sense to
detect this case specifically.
|
|
I mean, we could do something here and record the first few bytes before giving it to crypto/tls. And then when crypto/tls gives us an error, we could look at the bytes we copied and see if it looks like "HTTP/*" and return a better error. Pretty low priority, but a fine feature request. |
|
OK, I think it's better to make crypto/tls.(*Client).Handshake
return a the server response if the very first response doesn't
parse correctly; rather than cache the first few bytes in net/http
(as it will involve another layer of wrapping on net.Conn.)
And this seems like a general purpose enhancement for crypto/tls.
Actually, I think just make crypto/tls return the first few bytes of
response in error message is enough, we don't need to change
net/http.
For example, if the example panics with:
tls: oversized record received with length 20527 (server response:
"HTTP/1.1 400 Bad Request"...)
Then it's much better than the current message and can help the
user pinpoint the problem very quickly.
|
|
Yes that would be a lot more helpful. I lost a good half-an-hour trying to pin point the problem. @minux suggestion would send me immediately in the right direction. Thanks |
|
Turns out this is pretty easy to propagate. diff --git a/src/crypto/tls/conn.go b/src/crypto/tls/conn.go
index e3dcf15..2a41beb 100644
--- a/src/crypto/tls/conn.go
+++ b/src/crypto/tls/conn.go
@@ -568,7 +568,7 @@ Again:
}
if n > maxCiphertext {
c.sendAlert(alertRecordOverflow)
- return c.in.setErrorLocked(fmt.Errorf("tls: oversized record received with length %d", n))
+ return c.in.setErrorLocked(fmt.Errorf("tls: oversized record received with length %d ; data=%q", n, b.data))
}
if !c.haveVers {
// First message, be extra suspicious: this might not be a TLSMakes the demo program above error out with the |
|
CL https://golang.org/cl/16075 mentions this issue. |
|
CL https://golang.org/cl/16078 mentions this issue. |
|
CL https://golang.org/cl/16079 mentions this issue. |
The user can inspect the record data to detect that the other side is not using the TLS protocol. This will be used by the net/http client (in a follow-on CL) to detect when an HTTPS client is speaking to an HTTP server. Updates #11111. Change-Id: I872f78717aa8e8e98cebd8075436209a52039a73 Reviewed-on: https://go-review.googlesource.com/16078 Reviewed-by: Adam Langley <agl@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
Making an HTTPS request against a server that has no TLS enabled returns an 'record overflow' error.
I wonder if the message couldn't be a bit more helpful, like: 'No valid TLS certificate found. Aborting request.'
The sample program below illustrates the problem.
The text was updated successfully, but these errors were encountered: