Throw exception when client with ssl try to connect with server without ssl (#16504)

commit: 2d9afef27d2becdf309b37328d521e47ab1a5f9e [log] [tgz]
author: Haonan <hhaonan@outlook.com> Sun Sep 28 16:07:33 2025 +0800
committer: GitHub <noreply@github.com> Sun Sep 28 16:07:33 2025 +0800
tree: 1c787260ce4df26cc0c5ad899bf93edc132e67a4
parent: 49e857287a6f0058b530550fcb387454e789bb7c [diff]
diff --git a/example/jdbc/pom.xml b/example/jdbc/pom.xml
index 5489983..83f397d 100644
--- a/example/jdbc/pom.xml
+++ b/example/jdbc/pom.xml

@@ -39,5 +39,13 @@
             <artifactId>iotdb-jdbc</artifactId>
             <version>${project.version}</version>
         </dependency>
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>ch.qos.logback</groupId>
+            <artifactId>logback-classic</artifactId>
+        </dependency>
     </dependencies>
 </project>

diff --git a/iotdb-client/service-rpc/src/main/java/org/apache/iotdb/rpc/TElasticFramedTransport.java b/iotdb-client/service-rpc/src/main/java/org/apache/iotdb/rpc/TElasticFramedTransport.java
index 5cc626f..05a6a83 100644
--- a/iotdb-client/service-rpc/src/main/java/org/apache/iotdb/rpc/TElasticFramedTransport.java
+++ b/iotdb-client/service-rpc/src/main/java/org/apache/iotdb/rpc/TElasticFramedTransport.java

@@ -149,13 +149,28 @@
             TTransportException.CORRUPTED_DATA,
             "Singular frame size ("
                 + size
-                + ") detected, you may be sending HTTP GET/POST requests to the Thrift-RPC port, please confirm that you are using the right port");
+                + ") detected, you may be sending HTTP GET/POST requests to the Thrift-RPC port, "
+                + "please confirm that you are using the right port");
       } else {
         throw new TTransportException(
             TTransportException.CORRUPTED_DATA,
             "Frame size (" + size + ") larger than protect max size (" + thriftMaxFrameSize + ")!");
       }
     }
+
+    int high24 = size >>> 8;
+    if (high24 >= 0x160300 && high24 <= 0x160303 && (i32buf[3] & 0xFF) <= 0x02) {
+      // The typical TLS ClientHello requests start with 0x160300 ~ 0x160303
+      // The 4th byte is typically in [0x00, 0x01, 0x02].
+      close();
+      throw new TTransportException(
+          TTransportException.CORRUPTED_DATA,
+          "Singular frame size ("
+              + size
+              + ") detected, you may be sending TLS ClientHello requests to the Non-SSL Thrift-RPC"
+              + " port, please confirm that you are using the right configuration");
+    }
+
     readBuffer.fill(underlying, size);
   }
 

diff --git a/iotdb-client/service-rpc/src/test/java/org/apache/iotdb/rpc/TElasticFramedTransportTest.java b/iotdb-client/service-rpc/src/test/java/org/apache/iotdb/rpc/TElasticFramedTransportTest.java
index 086dc33..d9e99ec 100644
--- a/iotdb-client/service-rpc/src/test/java/org/apache/iotdb/rpc/TElasticFramedTransportTest.java
+++ b/iotdb-client/service-rpc/src/test/java/org/apache/iotdb/rpc/TElasticFramedTransportTest.java

@@ -67,5 +67,42 @@
           "Singular frame size (1347375956) detected, you may be sending HTTP GET/POST requests to the Thrift-RPC port, please confirm that you are using the right port",
           e.getMessage());
     }
+
+    try {
+      TElasticFramedTransport transport =
+          new TElasticFramedTransport(
+              new TByteBuffer(ByteBuffer.wrap(getTypicalTLSClientHelloByteArray())),
+              128 * 1024 * 1024,
+              512 * 1024 * 1024,
+              false);
+      transport.open();
+      transport.read(ByteBuffer.allocate(4096));
+      fail("Exception expected");
+    } catch (TTransportException e) {
+      assertEquals(
+          "Singular frame size (369296129) detected, you may be sending TLS ClientHello requests to the Non-SSL Thrift-RPC port, please confirm that you are using the right configuration",
+          e.getMessage());
+    }
+  }
+
+  private static byte[] getTypicalTLSClientHelloByteArray() {
+    String clientHelloHex =
+        "16030301B3010001AF0303CEC349A4962AFCE0390D4E33D24050D1BF6B1CA63B190A25"
+            + "BCFB83D87A3E352C20187B978A0EB2F554EC0E41A4CA34B850B2CE472EAB7B3F58443DE7CDBE901412004A13"
+            + "0213011303C02CC02BCCA9C030CCA8C02F009FCCAA00A3009E00A2C024C028C023C027006B006A00670040C0"
+            + "0AC014C009C0130039003800330032009D009C003D003C0035002F00FF0100011C000500050100000000000A"
+            + "00160014001D001700180019001E01000101010201030104000B000201000011000900070200040000000000"
+            + "17000000230000000D002C002A040305030603080708080804080508060809080A080B040105010601040203"
+            + "0303010302020302010202002B00050403040303002D000201010032002C002A040305030603080708080804"
+            + "080508060809080A080B04010501060104020303030103020203020102020033006B0069001D002097B98B24"
+            + "B9A97EB7C913BDB8B363E79C9D47935264B2CF83BF422571FBD41C360017004104FC839279D372DCB60680D2"
+            + "81B3DC8D3B88F6231A880A3650FD45322A79C9EA14CE073C0B71FC0AF9683BFC6DA95EB23B4122EC9E09EB7F"
+            + "88FF565415DDF44367";
+    byte[] bytes = new byte[clientHelloHex.length() / 2];
+    for (int i = 0; i < clientHelloHex.length(); i += 2) {
+      int value = Integer.parseInt(clientHelloHex.substring(i, i + 2), 16);
+      bytes[i / 2] = (byte) value;
+    }
+    return bytes;
   }
 }
commit	2d9afef27d2becdf309b37328d521e47ab1a5f9e	[log] [tgz]
author	Haonan <hhaonan@outlook.com>	Sun Sep 28 16:07:33 2025 +0800
committer	GitHub <noreply@github.com>	Sun Sep 28 16:07:33 2025 +0800
tree	1c787260ce4df26cc0c5ad899bf93edc132e67a4
parent	49e857287a6f0058b530550fcb387454e789bb7c [diff]