uuuyuqi opened a new issue, #16373:
URL: https://github.com/apache/dubbo/issues/16373

   ### Pre-check
   
   - [x] I am sure that all the content I provide in English is directly 
translated by me and not produced by machine translation.
   
   ### Search before asking
   
   - [x] I have searched in the 
[issues](https://github.com/apache/dubbo/issues) and found no similar issues.
   
   ### Apache Dubbo Component
   
   Java SDK (apache/dubbo)
   
   ### Dubbo Version
   
   Latest `3.3` branch, HEAD `316df8e57677cc8c1ed6d92bd40ca0daba27393f` 
(`3.3.7-SNAPSHOT`).
   
   ### Steps to reproduce this issue
   
   1. Enable port unification on the provider side.
   2. Configure a `CertProvider` that returns a `ProviderCert` with 
`AuthPolicy.NONE`, which means TLS is allowed but not required.
   3. Send a plaintext Dubbo request to the port-unification port. The first 
bytes are non-TLS, for example the Dubbo magic bytes `0xda 0xbb`.
   4. `NettyPortUnificationServerHandler` enters the TLS-detection branch 
because provider TLS config exists and enough bytes are available for SSL 
detection.
   5. Since the first packet is not TLS and `AuthPolicy` is `NONE`, the current 
handler neither closes the channel nor continues with plaintext protocol 
detection.
   
   ### What you expected to happen
   
   When `AuthPolicy.NONE` is configured, a non-TLS first packet should be 
treated as a permitted plaintext connection and should continue through 
port-unification protocol detection.
   
   ### What actually happened
   
   The plaintext `WireProtocol` detector is not invoked. The connection remains 
open and waits for more data, so a plaintext Dubbo consumer can hang or time 
out when it connects to a provider that uses port unification with optional TLS.
   
   ### Anything else
   
   The root cause is in `NettyPortUnificationServerHandler#decode`.
   
   When provider TLS config exists and the inbound bytes are enough for SSL 
detection, the handler checks:
   
   - TLS first packet: enable SSL.
   - Non-TLS first packet with `AuthPolicy` not equal to `NONE`: log and close.
   - Non-TLS first packet with `AuthPolicy.NONE`: no action is taken and the 
code does not fall through to `detectProtocol(...)`.
   
   I have a regression test that reproduces the issue on current `3.3`: before 
the fix, the test fails because the plaintext detector is called `0` times 
instead of `1` time.
   
   I will submit a pull request with the fix and the regression test.
   
   ### Are you willing to submit a PR?
   
   - [x] Yes, I am willing to submit a PR!
   
   ### Code of Conduct
   
   - [x] I agree to follow this project's Code of Conduct.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to