Port unification support reject if client not TLS (#15352)

AlbumenJ · web-flow · commit fc5f066b2505 · 2025-05-07T09:36:21.000+08:00
diff --git a/dubbo-remoting/dubbo-remoting-netty4/src/main/java/org/apache/dubbo/remoting/transport/netty4/NettyPortUnificationServerHandler.java b/dubbo-remoting/dubbo-remoting-netty4/src/main/java/org/apache/dubbo/remoting/transport/netty4/NettyPortUnificationServerHandler.java
@@ -20,6 +20,7 @@
 import org.apache.dubbo.common.io.Bytes;
 import org.apache.dubbo.common.logger.ErrorTypeAwareLogger;
 import org.apache.dubbo.common.logger.LoggerFactory;
+import org.apache.dubbo.common.ssl.AuthPolicy;
 import org.apache.dubbo.common.ssl.CertManager;
 import org.apache.dubbo.common.ssl.ProviderCert;
 import org.apache.dubbo.remoting.ChannelHandler;
@@ -45,6 +46,7 @@
 import io.netty.handler.ssl.SslHandshakeCompletionEvent;
 import io.netty.util.AttributeKey;
 
+import static org.apache.dubbo.common.constants.LoggerCodeConstants.CONFIG_SSL_CONNECT_INSECURE;
 import static org.apache.dubbo.common.constants.LoggerCodeConstants.INTERNAL_ERROR;
 
 public class NettyPortUnificationServerHandler extends ByteToMessageDecoder {
@@ -120,8 +122,27 @@ protected void decode(ChannelHandlerContext ctx, ByteBuf in, List<Object> out) t
         ProviderCert providerConnectionConfig =
                 certManager.getProviderConnectionConfig(url, ctx.channel().remoteAddress());
 
-        if (providerConnectionConfig != null && isSsl(in)) {
-            enableSsl(ctx, providerConnectionConfig);
+        if (providerConnectionConfig != null && canDetectSsl(in)) {
+            if (isSsl(in)) {
+                enableSsl(ctx, providerConnectionConfig);
+            } else {
+                // check server should load TLS or not
+                if (providerConnectionConfig.getAuthPolicy() != AuthPolicy.NONE) {
+                    byte[] preface = new byte[in.readableBytes()];
+                    in.readBytes(preface);
+                    LOGGER.error(
+                            CONFIG_SSL_CONNECT_INSECURE,
+                            "client request server without TLS",
+                            "",
+                            String.format(
+                                    "Downstream=%s request without TLS preface, but server require it. " + "preface=%s",
+                                    ctx.channel().remoteAddress(), Bytes.bytes2hex(preface)));
+
+                    // Untrusted connection; discard everything and close the connection.
+                    in.clear();
+                    ctx.close();
+                }
+            }
         } else {
             Set<String> supportedProtocolNames = new HashSet<>(protocols.keySet());
             supportedProtocolNames.retainAll(urlMapper.keySet());
@@ -177,6 +198,11 @@ private void enableSsl(ChannelHandlerContext ctx, ProviderCert providerConnectio
         p.remove(this);
     }
 
+    private boolean canDetectSsl(ByteBuf buf) {
+        // at least 5 bytes to determine if data is encrypted
+        return detectSsl && buf.readableBytes() >= 5;
+    }
+
     private boolean isSsl(ByteBuf buf) {
         // at least 5 bytes to determine if data is encrypted
         if (detectSsl && buf.readableBytes() >= 5) {
