Copilot commented on code in PR #16200:
URL: https://github.com/apache/dubbo/pull/16200#discussion_r3063278544
##########
dubbo-remoting/dubbo-remoting-http3/src/main/java/org/apache/dubbo/remoting/transport/netty4/NettyHttp3ConnectionClient.java:
##########
@@ -64,8 +65,10 @@ protected void initConnectionClient() {
@Override
protected void initBootstrap() throws Exception {
+ URL url = getUrl();
+ QuicSslContext quicSslContext =
Http3SslContexts.buildClientSslContext(url);
io.netty.channel.ChannelHandler codec =
Http3Helper.configCodec(Http3.newQuicClientCodecBuilder(), getUrl())
- .sslContext(Http3SslContexts.buildClientSslContext(getUrl()))
+ .sslEngineProvider(q -> quicSslContext.newEngine(q.alloc(),
url.getHost(), url.getPort()))
.build();
Review Comment:
The hostname passed to the QUIC SSLEngine is taken from
`url.getHost()/getPort()`, but the actual remote endpoint is
`getConnectAddress()` (which applies `NetUtils.filterLocalHost(...)` in
`AbstractClient#getConnectAddress`). These can diverge for values like `127.x`,
`0.0.0.0`, or `localhost`, causing hostname verification to validate against a
different name than the one actually connected to (false failures or, worse,
validating the wrong peer). Consider using the host/port from
`getConnectAddress()` (or applying the same `filterLocalHost` logic) when
creating the engine.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
