Autoresolve grpcs scheme for port 443 #243

New issue

Open

opened 2025-12-28 18:07:32 +00:00 by sami · 6 comments

sami commented 2025-12-28 18:07:32 +00:00

Owner

Copy link

Originally created by @cthulhu-rider on GitHub (Dec 4, 2024).

Is your feature request related to a problem? Please describe.

Client uses insecure grpc scheme when scheme is missing in the address parameter. Port 443 is reserved for http protocol over TLS/SSL. For users, it would be easier if conn scheme defaulted to grpcs for addresses with this port cuz it's easier to forget the scheme than desire to try dial it insecurely

Describe the solution you'd like

when port is 443, make a TLS dial

Describe alternatives you've considered

no

Additional context

https://github.com/nspcc-dev/neo-go/issues/3721

Originally created by @cthulhu-rider on GitHub (Dec 4, 2024). ## Is your feature request related to a problem? Please describe. `Client` uses insecure `grpc` scheme when scheme is missing in the address [parameter](https://pkg.go.dev/github.com/nspcc-dev/neofs-sdk-go/client#PrmDial.SetServerURI). Port `443` is [reserved](https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=443) for `http protocol over TLS/SSL`. For users, it would be easier if conn scheme defaulted to `grpcs` for addresses with this port cuz it's easier to forget the scheme than desire to try dial it insecurely ## Describe the solution you'd like when port is `443`, make a TLS dial ## Describe alternatives you've considered no ## Additional context https://github.com/nspcc-dev/neo-go/issues/3721

sami added the

client

discussion

feature

labels 2025-12-28 18:07:32 +00:00

sami commented 2025-12-28 18:07:33 +00:00

Author

Owner

Copy link

@roman-khimov commented on GitHub (Dec 4, 2024):

Really questionable. Admins can do all sorts of weird things. You don't know if 443 is TLS or not in any particular scenario. Normally it is. But some can find reasons to do otherwise. Schemes are exactly for that, http/https, grpc/grpcs. If we were talking about the default port when it's not specified, that'd be a different story, there are known good ones to use. But when it's specified without a scheme you have to resort to the default scheme which is not using TLS.

@roman-khimov commented on GitHub (Dec 4, 2024): Really questionable. Admins can do all sorts of weird things. You don't know if 443 is TLS or not in any particular scenario. Normally it is. But some can find reasons to do otherwise. Schemes are exactly for that, http/https, grpc/grpcs. If we were talking about the default port when it's not specified, that'd be a different story, there are known good ones to use. But when it's specified without a scheme you have to resort to the default scheme which is not using TLS.

sami commented 2025-12-28 18:07:33 +00:00

Author

Owner

Copy link

@532910 commented on GitHub (Dec 5, 2024):

I'd prefer to have 443 as a default: grpcs://st1.storage.fs.neo.org

@532910 commented on GitHub (Dec 5, 2024): I'd prefer to have 443 as a default: grpcs://st1.storage.fs.neo.org

sami commented 2025-12-28 18:07:33 +00:00

Author

Owner

Copy link

@cthulhu-rider commented on GitHub (Dec 5, 2024):

Normally it is.

exactly, this is where defaults fit well, which should make life easier in real practice

But some can find reasons to do otherwise.

ofc, but this is much more rare case tbh. For them, it is worth explicitly specifying the scheme

I'd prefer to have 443 as a default: grpcs://st1.storage.fs.neo.org

i like this too. In total, I'd expect following resolution:

• host:443 -> grpcs://host:443
• grpcs://host -> grpcs://host:443

this would cover most practical cases and reduce the likelihood of random mistake

---

i can also agree with @roman-khimov opinion cuz curl does not use HTTPS by default for 443

$ curl 157.90.176.145:443
<html>
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<body>
<center><h1>400 Bad Request</h1></center>

browsers' behavior vary: Chrome uses HTTPS while Firefox does not

@cthulhu-rider commented on GitHub (Dec 5, 2024): > Normally it is. exactly, this is where defaults fit well, which should make life easier in real practice > But some can find reasons to do otherwise. ofc, but this is much more rare case tbh. For them, it is worth explicitly specifying the scheme > I'd prefer to have 443 as a default: grpcs://st1.storage.fs.neo.org i like this too. In total, I'd expect following resolution: - `host:443` -> `grpcs://host:443` - `grpcs://host` -> `grpcs://host:443` this would cover most practical cases and reduce the likelihood of random mistake --- i can also agree with @roman-khimov opinion cuz `curl` does not use HTTPS by default for 443 ``` $ curl 157.90.176.145:443 <html> <head><title>400 The plain HTTP request was sent to HTTPS port</title></head> <body> <center><h1>400 Bad Request</h1></center> ``` browsers' behavior vary: Chrome uses HTTPS while Firefox does not

sami commented 2025-12-28 18:07:33 +00:00

Author

Owner

Copy link

@532910 commented on GitHub (Dec 5, 2024):

Firefox also uses https by default

@532910 commented on GitHub (Dec 5, 2024): Firefox also uses https by default

sami commented 2025-12-28 18:07:33 +00:00

Author

Owner

Copy link

@cthulhu-rider commented on GitHub (Dec 6, 2024):

Firefox also uses https by default

yeah, but if hostname is used, ip:443 uses http

@cthulhu-rider commented on GitHub (Dec 6, 2024): > Firefox also uses https by default yeah, but if hostname is used, ip:443 uses http

sami commented 2025-12-28 18:07:33 +00:00

Author

Owner

Copy link

@532910 commented on GitHub (Dec 6, 2024):

indded, I have enabled Enable HTTPS-Only Mode in all windows which is disabled by default

@532910 commented on GitHub (Dec 6, 2024): indded, I have enabled `Enable HTTPS-Only Mode in all windows` which is disabled by default

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

update-waiters

debug

get-one-message

partial-test

feature/client-object-put-demux

check-pool

feature/client-utils

tree-service

v1.0.0-rc.17

v1.0.0-rc.16

v1.0.0-rc.15

v1.0.0-rc.14

v1.0.0-rc.13

v1.0.0-rc.12

v1.0.0-rc.11

v1.0.0-rc.10

v1.0.0-rc.9

v1.0.0-rc.8

v1.0.0-rc.7

v1.0.0-rc.6

v1.0.0-rc.5

v1.0.0-rc.4

v1.0.0-rc.3

v1.0.0-rc.2

v1.0.0-rc.1

Labels

Clear labels   

I2

  

I3

  

I4

  

S1

  

S2

  

S3

  

S4

  

U0

  

U1

  

U2

  

U2

  

U2

  

U3

  

U4

  

blocked

  

bug

  

client

  

config

  

discussion

  

documentation

  

enhancement

  

epic

  

feature

  

go

  

good first issue

  

help wanted

  

performance

  

pool

  

question

  

security

  

task

  

test

No labels

I2

I3

I4

S1

S2

S3

S4

U0

U1

U2

U2

U2

U3

U4

blocked

bug

client

config

discussion

documentation

enhancement

epic

feature

go

good first issue

help wanted

performance

pool

question

security

task

test

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

nspcc-dev/neofs-sdk-go#243

No description provided.