Features You Never Knew Were There: You Can’t Do Everything

DZone 's Guide to

Features You Never Knew Were There: You Can’t Do Everything

Sometimes the features we wish were in a product aren't ones we should necessarily have. We take a look at such an example in this post.

· Security Zone ·
Free Resource

imageIn the previous posts in this series, I talked about the kind of features that we build into RavenDB. Things that you never even notice making your life easier.

One feature we don’t have is an HTTPS to HTTP downgrade. What do I mean by that? Assume that you have a RavenDB instance that is running using HTTP, and a client attempts to connect to it using HTTPS. Remember that we are assuming that the access is made on the same port. So the client wrote https://my.raven.database:8080 instead of http://my.raven.database:8080.

If the other thing would happen, we would detect that and give a clear error to the user. But the other way around? We don’t do that, but why?

Well, the reasoning is very simple. If you connect to an HTTP endpoint using HTTPS, the first packet on the wire wants to do SSL negotiation. However, we don’t have a certificate that we can use here, so we can’t even start the negotiation process.

We could try generating a self-signed certificate on the fly and answer the request with an error. But at this point, the client will likely, already, have received an error at a low level because the self-signed certificate is not trusted.

Another point against implementing this feature is that HTTP endpoints typically become HTTPS, but rarely the other way around.

endpoints, http, https, security, ssl

Published at DZone with permission of Oren Eini , DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}