Improve HTTPS-on-HTTP parser error

[puneetdixit200]

What do these changes do?

Special-cases request parser errors where the incoming method bytes start with \x16\x03, which is the common TLS ClientHello prefix. Both the pure-Python and Cython parser paths now report that HTTPS traffic was received on an HTTP port instead of showing the generic invalid method message.

Are there changes in behavior for the user?

Yes. Misconfigured clients that send HTTPS traffic to an aiohttp HTTP server port now get a clearer 400 parser error message. There are no public API changes.

Is it a substantial burden for the maintainers to support this?

No. The change is a small error-message special case for a well-known byte prefix, with regression coverage for both parser implementations.

Related issue number

Fixes #10142.

Checklist

• I think the code is well written
• Unit tests for the changes exist
• Documentation reflects the changes (N/A: parser error message only)
• If you provide code modification, please add yourself to CONTRIBUTORS.txt
  • The format is .
  • Please keep alphabetical order, the file is sorted by names.
• Add a new news fragment into the CHANGES/ folder
  • name it <issue_or_pr_num>.<type>.rst (e.g. 588.bugfix.rst)
  • if you don't have an issue number, change it to the pull request
    number after creating the PR
    • .bugfix: A bug fix for something the maintainers deemed an
      improper undesired behavior that got corrected to match
      pre-agreed expectations.
    • .feature: A new behavior, public APIs. That sort of stuff.
    • .deprecation: A declaration of future API removals and breaking
      changes in behavior.
    • .breaking: When something public is removed in a breaking way.
      Could be deprecated in an earlier release.
    • .doc: Notable updates to the documentation structure or build
      process.
    • .packaging: Notes for downstreams about unobvious side effects
      and tooling. Changes in the test invocation considerations and
      runtime assumptions.
    • .contrib: Stuff that affects the contributor experience. e.g.
      Running tests, building the docs, setting up the development
      environment.
    • .misc: Changes that are hard to assign to any of the above
      categories.

Local validation

• Red regression before the fix: pytest tests/test_http_parser.py::test_http_request_parser_tls_handshake_on_http_port -q failed because the message was still the generic bad method error.
• Pure-Python parser: AIOHTTP_NO_EXTENSIONS=1 PYTHONPATH=. pytest tests/test_http_parser.py -q -> 377 passed, 13 skipped, 4 deselected.
• Accelerated parser build: generated Cython sources and installed editable package with extensions enabled.
• Cython-enabled parser run: PYTHONPATH=. pytest tests/test_http_parser.py -q -> 725 passed, 12 skipped, 6 deselected, 3 xfailed.
• Exception tests: PYTHONPATH=. pytest tests/test_http_exceptions.py -q -> 19 passed.
• black --check aiohttp/http_exceptions.py tests/test_http_parser.py passed.
• git diff --check reported only Windows LF-to-CRLF working-copy warnings.

Drafted with OpenAI GPT-5; reviewed by puneetdixit200.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.95%. Comparing base (a0a03ca) to head (233f352).
⚠️ Report is 5 commits behind head on master.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##           master   #12672   +/-   ##
=======================================
  Coverage   98.95%   98.95%           
=======================================
  Files         131      131           
  Lines       46688    46697    +9     
  Branches     2421     2422    +1     
=======================================
+ Hits        46200    46209    +9     
  Misses        366      366           
  Partials      122      122           

Flag	Coverage Δ
Autobahn	22.42% <28.57%> (+<0.01%)	⬆️
CI-GHA	98.92% <100.00%> (+<0.01%)	⬆️
OS-Linux	98.67% <100.00%> (+<0.01%)	⬆️
OS-Windows	97.03% <100.00%> (+<0.01%)	⬆️
OS-macOS	97.92% <100.00%> (-0.01%)	⬇️
Py-3.10	98.15% <100.00%> (-0.01%)	⬇️
Py-3.11	98.41% <100.00%> (+<0.01%)	⬆️
Py-3.12	98.50% <100.00%> (+<0.01%)	⬆️
Py-3.13	98.47% <100.00%> (-0.01%)	⬇️
Py-3.14	98.50% <100.00%> (+<0.01%)	⬆️
Py-3.14t	97.55% <100.00%> (+<0.01%)	⬆️
Py-pypy-3.11	97.42% <100.00%> (+<0.01%)	⬆️
VM-macos	97.92% <100.00%> (-0.01%)	⬇️
VM-ubuntu	98.67% <100.00%> (+<0.01%)	⬆️
VM-windows	97.03% <100.00%> (+<0.01%)	⬆️
cython-coverage	37.95% <100.00%> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[codspeed-hq]

Merging this PR will not alter performance

✅ 72 untouched benchmarks
⏩ 72 skipped benchmarks¹

---

_{Comparing puneetdixit200:improve-https-on-http-error (233f352) with master (a0a03ca)}

Footnotes

1. 72 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

[puneetdixit200]

All code checks are green now; the only failing check I see is Labels / Backport label added.

I tried to add backport:skip to satisfy the workflow, but I do not have label permissions on the repo. Could a maintainer add the appropriate backport... label, or switch it to a release backport label if this should be backported?