Over a million developers have joined DZone.

Features You Never Knew Were There: You Can’t Do Everything

DZone's Guide to

Features You Never Knew Were There: You Can’t Do Everything

Sometimes the features we wish were in a product aren't ones we should necessarily have. We take a look at such an example in this post.

· Security Zone ·
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

imageIn the previous posts in this series, I talked about the kind of features that we build into RavenDB. Things that you never even notice making your life easier.

One feature we don’t have is an HTTPS to HTTP downgrade. What do I mean by that? Assume that you have a RavenDB instance that is running using HTTP, and a client attempts to connect to it using HTTPS. Remember that we are assuming that the access is made on the same port. So the client wrote https://my.raven.database:8080 instead of http://my.raven.database:8080.

If the other thing would happen, we would detect that and give a clear error to the user. But the other way around? We don’t do that, but why?

Well, the reasoning is very simple. If you connect to an HTTP endpoint using HTTPS, the first packet on the wire wants to do SSL negotiation. However, we don’t have a certificate that we can use here, so we can’t even start the negotiation process.

We could try generating a self-signed certificate on the fly and answer the request with an error. But at this point, the client will likely, already, have received an error at a low level because the self-signed certificate is not trusted.

Another point against implementing this feature is that HTTP endpoints typically become HTTPS, but rarely the other way around.

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

endpoints ,http ,https ,security ,ssl

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}