[jira] [Commented] (HTTPCLIENT-2344) HTTP/1.1 TLS Upgrade (RFC-2817) should not be default

Thu, 16 Jan 2025 12:47:05 -0800 


    [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-2344?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17913853#comment-17913853
 ] 

Stephane Bailliez commented on HTTPCLIENT-2344:
-----------------------------------------------

Fair enough, my mistake for cutting the example short and doing it incorrectly, 
here is what happens with the exact 2 headers sent the same way it is done in 
httpclient.

 
{noformat}
curl -vvvv 
http://test-lb-1458593638.us-east-1.elb.amazonaws.com:9070/admin/ping  -H 
"Upgrade: TLS/1.2" -H "Connection: Upgrade" -k
* Host test-lb-1458593638.us-east-1.elb.amazonaws.com:9070 was resolved.
* IPv6: (none)
* IPv4: 10.30.100.62, 10.30.102.99
*   Trying 10.30.100.62:9070...
* Connected to test-lb-1458593638.us-east-1.elb.amazonaws.com (10.30.100.62) 
port 9070
> GET /admin/ping HTTP/1.1
> Host: test-lb-1458593638.us-east-1.elb.amazonaws.com:9070
> User-Agent: curl/8.5.0
> Accept: */*
> Upgrade: TLS/1.2
> Connection: Upgrade
>
< HTTP/1.1 400 Bad Request
< Date: Thu, 16 Jan 2025 20:42:30 GMT
< Content-Type: text/html;charset=iso-8859-1
< Content-Length: 54
< Connection: keep-alive
<
* Connection #0 to host test-lb-1458593638.us-east-1.elb.amazonaws.com left 
intact{noformat}

> HTTP/1.1 TLS Upgrade (RFC-2817) should not be default
> -----------------------------------------------------
>
>                 Key: HTTPCLIENT-2344
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2344
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient (classic)
>    Affects Versions: 5.4
>            Reporter: Ben Plotnick
>            Priority: Minor
>
> Version 5.4 added RFC-2817 support, which by default tries to upgrade  since 
> protocolUpgradeEnabled is default enabled.
> Although the strict reading of the spec would indicate that a server should 
> ignore upgrade requests that it cannot service, conservative proxies might 
> reject these requests entirely. This is the case in Envoy today
> I don't see a big advantage to enabling this by default and it is causing 
> real issues now.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org

Reply via email to