New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/http: HTTPS requests when the server does not support it -> record overflow #11111
Comments
The crypto/tls package will try to parse the response
"HTTP/1.1 400 Bad Request\r\n\r\n" as a TLS record,
which it failed.
I don't thinking we can do any better. crypto/tls is
not HTTPS specific, so it doesn't make sense to
detect this case specifically.
|
I mean, we could do something here and record the first few bytes before giving it to crypto/tls. And then when crypto/tls gives us an error, we could look at the bytes we copied and see if it looks like "HTTP/*" and return a better error. Pretty low priority, but a fine feature request. |
OK, I think it's better to make crypto/tls.(*Client).Handshake
return a the server response if the very first response doesn't
parse correctly; rather than cache the first few bytes in net/http
(as it will involve another layer of wrapping on net.Conn.)
And this seems like a general purpose enhancement for crypto/tls.
Actually, I think just make crypto/tls return the first few bytes of
response in error message is enough, we don't need to change
net/http.
For example, if the example panics with:
tls: oversized record received with length 20527 (server response:
"HTTP/1.1 400 Bad Request"...)
Then it's much better than the current message and can help the
user pinpoint the problem very quickly.
|
Yes that would be a lot more helpful. I lost a good half-an-hour trying to pin point the problem. @minux suggestion would send me immediately in the right direction. Thanks |
Turns out this is pretty easy to propagate. diff --git a/src/crypto/tls/conn.go b/src/crypto/tls/conn.go
index e3dcf15..2a41beb 100644
--- a/src/crypto/tls/conn.go
+++ b/src/crypto/tls/conn.go
@@ -568,7 +568,7 @@ Again:
}
if n > maxCiphertext {
c.sendAlert(alertRecordOverflow)
- return c.in.setErrorLocked(fmt.Errorf("tls: oversized record received with length %d", n))
+ return c.in.setErrorLocked(fmt.Errorf("tls: oversized record received with length %d ; data=%q", n, b.data))
}
if !c.haveVers {
// First message, be extra suspicious: this might not be a TLS Makes the demo program above error out with the |
CL https://golang.org/cl/16075 mentions this issue. |
CL https://golang.org/cl/16078 mentions this issue. |
CL https://golang.org/cl/16079 mentions this issue. |
The user can inspect the record data to detect that the other side is not using the TLS protocol. This will be used by the net/http client (in a follow-on CL) to detect when an HTTPS client is speaking to an HTTP server. Updates #11111. Change-Id: I872f78717aa8e8e98cebd8075436209a52039a73 Reviewed-on: https://go-review.googlesource.com/16078 Reviewed-by: Adam Langley <agl@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
Making an HTTPS request against a server that has no TLS enabled returns an 'record overflow' error.
I wonder if the message couldn't be a bit more helpful, like: 'No valid TLS certificate found. Aborting request.'
The sample program below illustrates the problem.
The text was updated successfully, but these errors were encountered: