From 15b2f69aa9fe309afd86e8ae7bc4b4e3bf8d4bbc Mon Sep 17 00:00:00 2001
From: Damien Neil <dneil@google.com>
Date: Mon, 25 Mar 2024 08:41:34 -0700
Subject: [PATCH] net/http: also log TLS errors which look like HTTP sent to an
 HTTPS port

We log TLS handshake errors in general, but currently do not log errors
when the first TLS record looks like an attempt to send HTTP to an HTTPS
port. There doesn't seem to be any principled reason to log the one and
not the other, so just log all TLS handshake errors.

Fixes #66501

Change-Id: I5d78a754d054c220be935513448515721fa387a6
Reviewed-on: https://go-review.googlesource.com/c/go/+/573979
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
Auto-Submit: Emmanuel Odeke <emmanuel@orijtech.com>
Run-TryBot: Emmanuel Odeke <emmanuel@orijtech.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
---
 src/net/http/server.go | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/net/http/server.go b/src/net/http/server.go
index 18efbb2ce12011..0002da98d8302c 100644
--- a/src/net/http/server.go
+++ b/src/net/http/server.go
@@ -1922,12 +1922,15 @@ func (c *conn) serve(ctx context.Context) {
 			// If the handshake failed due to the client not speaking
 			// TLS, assume they're speaking plaintext HTTP and write a
 			// 400 response on the TLS conn's underlying net.Conn.
+			var reason string
 			if re, ok := err.(tls.RecordHeaderError); ok && re.Conn != nil && tlsRecordHeaderLooksLikeHTTP(re.RecordHeader) {
 				io.WriteString(re.Conn, "HTTP/1.0 400 Bad Request\r\n\r\nClient sent an HTTP request to an HTTPS server.\n")
 				re.Conn.Close()
-				return
+				reason = "client sent an HTTP requset to an HTTPS server"
+			} else {
+				reason = err.Error()
 			}
-			c.server.logf("http: TLS handshake error from %s: %v", c.rwc.RemoteAddr(), err)
+			c.server.logf("http: TLS handshake error from %s: %v", c.rwc.RemoteAddr(), reason)
 			return
 		}
 		// Restore Conn-level deadlines.