-
Notifications
You must be signed in to change notification settings - Fork 74
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sending plaintext response for non-TLS connection attempts #54
Comments
this is ~(the response) in Firefox ��� |
I see why the above failed. By calling accept I was attempting to accept the next incoming connection. Which is why I tried the following, non preferred, Fd path... Even if I create a stream from an OwnedFd I get the following:
What are the leading bytes? How do I prevent them from being sent? How do I access the underlying stream should TLS fail?
|
So you want to achieve that plaintext (HTTP) clients connecting to your TLS server socket get a HTTP redirect? I don't think tokio-rustls will facilitate that use case, because it will ~always send a TLS alert when it fails to parse the client's stream as TLS. If you drop down directly to the rustls API you can probably make it work, but I'm not sure you can easily wrap a tokio-rustls connection around that after the fact. I suppose we could maybe support this use case in the |
Imo, this is just default behavior... that said this is my final solution
|
Can you elaborate on how the peeking trick should work? For me, in both cases (connecting via HTTP & HTTPS), the timer does not run in a timeout, as the peek was successful. Using the following: tokio::spawn(async move {
mut buf = [0u8; 1];
tcp_stream.peek(&mut buf).await.unwrap();
println!("peeked: {:?}", buf);
... successfully peeks something with HTTP and HTTPS:
|
@c92s I ended up doing this. The first byte is the type signature. 22 (peeked: [22] <-- HTTPS) or 0x16 == HTTPS. I also check the client hello byte. If not not both then 301. 'let _ = Self::redirect(&mut stream).await;'
|
@BrandonLeeDotDev thanks for the info! FYI: we could further refine that, using the available if buf[0] == rustls::ContentType::Handshake.get_u8() && buf[5] == rustls::HandshakeType::ClientHello.get_u8() {
crate::debug_with_time!({},"TLS connection from {peer_addr}",);
if let Ok(tls_stream) = acceptor.accept(stream).await {
tokio::spawn(handle_client(tls_stream, peer_addr));
}
} else {
let _ = Self::redirect(&mut stream).await;
} However, IMO this looks very "handcrafted", I am still not sure, if this is the proper way to handle such cases... |
This is my current attempt among others. Both print statements print. I have had intermittent success... its just not stable. Whats the correct way to approach this within the lib itself?
The text was updated successfully, but these errors were encountered: