RFR: 8373677: Clear text HttpServer connection could fail fast if receiving SSL ClientHello [v2]
Daniel Jeliński
djelinski at openjdk.org
Wed Dec 17 10:04:16 UTC 2025
On Tue, 16 Dec 2025 22:09:33 GMT, Daniel Fuchs <dfuchs at openjdk.org> wrote:
>> src/jdk.httpserver/share/classes/sun/net/httpserver/ServerImpl.java line 740:
>>
>>> 738: Request req;
>>> 739: try {
>>> 740: req = new Request(rawin, rawout, newconnection && !https);
>>
>> I'd skip the `!https` check here.
>
> We only need the check for clear connections. Why would you keep it with https?
Because any input that starts with a character below 32 may not be a HTTP request, so we might as well reject such bytes over TLS too.
Ideally we'd have a state machine that would reject any request as soon as we receive a byte that is not valid in a HTTP request, but what you have is a good improvement already.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/28827#discussion_r2626385975
More information about the net-dev
mailing list