Comments (7)
This broke us in production. IMO this either should've been a blocker for 2.7, or else the version should've been bumped to 3.0.
from http-kit.
Have updated the CHANGELOG with appropriate warnings, and created a dedicated issue ([#528]) for the regression.
@gpind Thanks a lot for pinging about this!
from http-kit.
Thanks for being understanding, @ptaoussanis. This stuff happens.
Could you please share more details on exactly what happened in your case? How exactly were you affected? What kind of solution/workaround was necessary? Anything relevant you can share might be helpful.
We communicate with many legacy servers we don't control. In some cases we talk to them via a proxy over VPN, and the setup is such that we need to pass :insecure?
to http-kit (I'm not familiar with the details of that setup). When we bumped http-kit to 2.7, our requests to some of these servers started throwing errors like this:
"Hostname or IP address is undefined."
:via
[{:type javax.net.ssl.SSLHandshakeException
:message "Hostname or IP address is undefined."
:at [sun.security.ssl.Alert createSSLException "Alert.java" 131]}
{:type java.security.cert.CertificateException
:message "Hostname or IP address is undefined."
:at [sun.security.util.HostnameChecker match "HostnameChecker.java" 97]}]
:trace
[[sun.security.util.HostnameChecker match "HostnameChecker.java" 97]
[sun.security.ssl.X509TrustManagerImpl checkIdentity "X509TrustManagerImpl.java" 461]
[sun.security.ssl.X509TrustManagerImpl checkIdentity "X509TrustManagerImpl.java" 435]
[sun.security.ssl.AbstractTrustManagerWrapper checkAdditionalTrust "SSLContextImpl.java" 1566]
[sun.security.ssl.AbstractTrustManagerWrapper checkServerTrusted "SSLContextImpl.java" 1507]
[sun.security.ssl.CertificateMessage$T12CertificateConsumer checkServerCerts "CertificateMessage.java" 632]
[sun.security.ssl.CertificateMessage$T12CertificateConsumer onCertificate "CertificateMessage.java" 473]
[sun.security.ssl.CertificateMessage$T12CertificateConsumer consume "CertificateMessage.java" 369]
[sun.security.ssl.SSLHandshake consume "SSLHandshake.java" 392]
[sun.security.ssl.HandshakeContext dispatch "HandshakeContext.java" 443]
[sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction run "SSLEngineImpl.java" 1076]
[sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction run "SSLEngineImpl.java" 1063]
[java.security.AccessController doPrivileged "AccessController.java" -2]
[sun.security.ssl.SSLEngineImpl$DelegatedTask run "SSLEngineImpl.java" 1010]
[org.httpkit.client.HttpsRequest doHandshake "HttpsRequest.java" 91]
[org.httpkit.client.HttpClient doRead "HttpClient.java" 220]
[org.httpkit.client.HttpClient run "HttpClient.java" 521]
[java.lang.Thread run "Thread.java" 829]]
The immediate fix was simply to downgrade back to the version of http-kit we were on before.
We of course could and should have caught this ourselves, and we're looking into why we didn't.
I hadn't heard of Break Versioning, and will keep it in mind from now on. Thank you!
from http-kit.
@gpind Hi Michael, I'm very sorry about the problem! This is entirely on me, I'd incorrectly concluded that the affected tests were vestigial since they use an :insecure?
flag that doesn't seem to be documented as part of http-kit's public API.
Could you please share more details on exactly what happened in your case? How exactly were you affected? What kind of solution/workaround was necessary? Anything relevant you can share might be helpful.
or else the version should've been bumped to 3.0.
While it's easy to miss and not relevant in this case since the breakage was unintended, I'll note for future reference that http-kit uses Break Versioning - so the version bump to 2.7 is intended to indicate the possibility of minor breaks.
In any case, I'll note that since http-kit lost its author several years ago - it's currently maintained by its community. While we do the best we can, errors undoubtedly will slip in from time to time. Realistically, more than in the average author-led project since we're all pretty strapped for time, and none of us is deeply familiar with the whole codebase or its design or history. I would recommend testing new releases before deploying to production.
I'll add additional guidance on this to future release notes.
Finally, just to reiterate- I really am sorry for any unintended breaks, I know how much stress that can cause. My sincere apologies.
from http-kit.
Update: I just found a reference to the :insecure?
option on the legacy website. I'll add a warning to the release notes for anyone that might be using this, and create an issue to restore support
from http-kit.
Likewise - thanks a lot for your understanding, and for the additional info!
The immediate fix was simply to downgrade back to the version of http-kit we were on before.
That's probably the best bet in the meantime, especially if you're otherwise satisfied with the previous version. Will try prioritise #528 after my next batch of open-source work, and update here if there's any news.
from http-kit.
Closing since this should now be addressed in v2.8.0-beta1
, Ref. #528 (comment).
Again apologies for the trouble.
from http-kit.
Related Issues (20)
- CURL and finagle failing to parse :set-cookies with '\n' HOT 13
- Unix socket benchmark HOT 1
- It will turn headers into camel format HOT 2
- logger-warn gets rebound HOT 1
- logger-warn and error-warn are passed in wrong order to HttpServer constructor HOT 1
- Requests which throw java.net.ConnectException may actually succeed HOT 3
- Request Map doesn't contain information about authority HOT 8
- http-kit v2.8.0-RC1 HOT 1
- http-kit v2.8.0 final HOT 1
- Consider adding `Content-Type: text/plain` to HTTP 500 response in `org.httpkit.server.HttpHandler#run` HOT 6
- v2.7.0 SNI change broke connections to plain IP addresses with SSLHandshakeException "Hostname or IP address is undefined." HOT 8
- Add options for encoding nested form and query params a la clj-http HOT 7
- WebTransport support HOT 2
- NoSuchMethodError on projects AOT'd on java 21 but run on earlier java versions HOT 13
- [Proposal][Client] Consider more idiomatic bridges with JVM async paradigms HOT 5
- "Unmasked client to server frame" causes 502s HOT 9
- [client][performance] Regression after #446 HOT 3
- Add updated WebSocket examples to Wiki HOT 4
- documentation needs cleaning up and centralizing (was -> footnote link for API docs / run-server is wrong) HOT 2
- Possible native memory leak HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from http-kit.