Skip to content

Comments

Fix HTTP/2 downstream server certificate always null#1145

Merged
shivamgupta1 merged 3 commits intolinkedin:masterfrom
Kevin-Ngo:Kevin-Ngo/fix-http2-downstream-cert
Feb 24, 2026
Merged

Fix HTTP/2 downstream server certificate always null#1145
shivamgupta1 merged 3 commits intolinkedin:masterfrom
Kevin-Ngo:Kevin-Ngo/fix-http2-downstream-cert

Conversation

@Kevin-Ngo
Copy link
Contributor

@Kevin-Ngo Kevin-Ngo commented Feb 19, 2026
edited
Loading

Summary

  • Server certificates were always null for HTTP/2 connections because CertificateHandler stores the cert on the parent TCP channel, but the channel pool hands out child stream channels with separate attribute maps
  • Try reading SERVER_CERTIFICATES from the current channel first (HTTP/1.1), then fall back to the parent channel if not found (HTTP/2 child streams)

Context on getSslTimingCallback

SslHandshakeTimingHandler serves two separate concerns:

  1. The handler itself — added to the parent channel's pipeline. It records handshake duration in handlerAdded() and runs once per TCP connection.
  2. getSslTimingCallback (static method) — a utility that wraps a TransportCallback and is called per-stream/per-request (e.g. in Http2NettyStreamClient). Its job is to transfer already-computed channel-level attributes (handshake duration, server certificate) into each request's RequestContext.

In HTTP/2, the channel passed to this callback is a child stream channel, but the certificate is set on the parent TCP channel by CertificateHandler. This is why the fix adds a parent-channel fallback lookup — the child stream channel will never have the SERVER_CERTIFICATES attribute set directly on it.

Testing Done

  • Unit tests added (TestSslHandshakeTimingHandler)
  • HTTP/1.1: cert read directly from channel
  • HTTP/2: cert read from parent when child channel has none

Kevin-Ngo and others added 2 commits February 19, 2026 11:14
@Kevin-Ngo
fix: Read server certificate from parent channel for HTTP/2 streams
eb75fdb 
In HTTP/2, the channel pool hands out child stream channels whose
attribute maps are separate from the parent TCP channel. The server
certificate is stored on the parent by CertificateHandler, so child
streams always read null. Resolve the parent channel when reading
SERVER_CERTIFICATES so the cert is found for both HTTP/1.1 and HTTP/2.
@Kevin-Ngo @claude
fix: Try channel then parent for server cert lookup
aa69570 
Read server certificate from the current channel first (HTTP/1.1),
falling back to the parent channel if not found (HTTP/2 streams).
This is backward compatible for HTTP/1.1 and fixes cert resolution
for HTTP/2 multiplexed stream channels.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Kevin-Ngo Kevin-Ngo marked this pull request as ready for review February 19, 2026 19:32
shivamgupta1
shivamgupta1 approved these changes Feb 23, 2026
View reviewed changes
Copy link
Contributor

@shivamgupta1 shivamgupta1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@shivamgupta1 shivamgupta1 merged commit f53250a into linkedin:master Feb 24, 2026
4 of 8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shivamgupta1 shivamgupta1 shivamgupta1 approved these changes

@li-bsoetarman li-bsoetarman li-bsoetarman approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Kevin-Ngo @shivamgupta1 @li-bsoetarman