[jira] [Commented] (HTTPCLIENT-2344) HTTP/1.1 TLS Upgrade (RFC-2817) should not be default

Tue, 24 Sep 2024 08:32:18 -0700 


    [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-2344?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17884330#comment-17884330
 ] 

Ben Plotnick commented on HTTPCLIENT-2344:
------------------------------------------

{quote}IMO We should strictly follow RFC-2817; otherwise, what's the point of 
having a standard?
{quote}
Servers are not obliged to follow RFC-2817. It is not part of the HTTP/1.1 spec.

[RFC-9110](https://datatracker.ietf.org/doc/html/rfc9110#section-7.8) states
{quote}A server MAY ignore a received Upgrade header field if it wishes to 
continue using the current protocol on that connection. Upgrade cannot be used 
to insist on a protocol change.
{quote}
This also does not prescribe server behavior and I don't believe a server would 
be out of spec to reject this request.

But more practically, even if you are correct in saying that it is the server's 
fault for not following spec, you are proposing that the solution is to have 
all clients of that proxy now will be default broken. There is a long history 
of much worse spec misunderstanding and flat out violation on the web with 
middleboxes and proxies. The solution has always been for maximal compatibility 
rather than maximal spec compliance. Breaking clients by default is backwards 
incompatible and unacceptable

> HTTP/1.1 TLS Upgrade (RFC-2817) should not be default
> -----------------------------------------------------
>
>                 Key: HTTPCLIENT-2344
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2344
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient (classic)
>    Affects Versions: 5.4
>            Reporter: Ben Plotnick
>            Priority: Minor
>             Fix For: 5.4.1
>
>
> Version 5.4 added RFC-2817 support, which by default tries to upgrade  since 
> protocolUpgradeEnabled is default enabled.
> Although the strict reading of the spec would indicate that a server should 
> ignore upgrade requests that it cannot service, conservative proxies might 
> reject these requests entirely. This is the case in Envoy today
> I don't see a big advantage to enabling this by default and it is causing 
> real issues now.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to