mina-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From 이희승 "(Trustin Lee)" <trus...@gmail.com>
Subject Re: SSLFilter - Restarting using startSSL
Date Wed, 20 Feb 2008 11:29:37 GMT
Hi Chew,

I am a little bit confused.  Do you mean that ConnectorTest fails?

One more information that might help you is that SSLFilter is
deactivated completely once SSL session ends.  Therefore, you need to
call startSSL(...) explicitly so it becomes ready to receive the
handshake request.  Please take a look at the 'AbstractTest.java' which
is extended by 'ConnectorTest.java'.

Please take a look into AbstractTest$EchoProtocolHandler
$messageReceived(...).

HTH,

2008-02-20 (수), 10:43 +0800, Chew Kok Hoor 쓰시길:
> Hi Trustin,
> 
>     I know what you mean. But my point is when I use ConnectorTest (SSL
> Client) to connect to the echoserver (SSL Server), and when ConnectorTest
> does a startSSL, SSL Client will throw an exception '
> javax.net.ssl.SSLProtocolException:Illegal client handshake msg, 1'.
> 
>     However, if, upon detecting the client SSL handshake message, say '.' in
> your example, and then the echoserver calls startSSL as well, it works.
> 
>     Is this the right way to do things? That both party must call startSSL.
> 
> Regards,
>     Kok Hoor
> 
> On Feb 20, 2008 10:36 AM, 이희승 (Trustin Lee) <trustin@gmail.com> wrote:
> 
> > StartTLS is a general mechanism that allows you to (re)initiate an SSL
> > session.  There's no standard in how we initiate an SSL session in
> > StartTLS, but the following is typical:
> >
> > * Client asks for an SSL session to the server (plain text message)
> > * Server prepares for an SSL session and respond to the client that it's
> > ready (plain text message)
> > * Client initiates an SSL session (SSL part from here...)
> >
> > So.. you need to have some agreement on what message to exchange between
> > the client and the server to initiate an SSL session.  In the
> > ConnectorTest, I used '.' as the initiation request message, and I think
> > you will want something more meaningful instead of '.'.
> >
> > HTH,
> > Trustin
> >
> > 2008-02-19 (화), 23:38 +0800, Kok Hoor (GMail) 쓰시길:
> > > Hi all,
> > >
> > >     I am using Mina 1.1.6 (downloaded the binary release, I don't Maven
> > too
> > > well), and am using org.apache.mina.example.echoserver.ConnectorTest to
> > > connect to the echo server, both setup using SSL.
> > >
> > > I have noticed however, in the ConnectorTest.java, the following restart
> > SSL
> > > fails:
> > >
> > >     connectorSSLFilter.startSSL(session);
> > >
> > > As it will cause an 'javax.net.ssl.SSLProtocolException:Illegal client
> > > handshake msg, 1' exception to be thrown.
> > >
> > > I looked around the ConnectorTest and discovered that it sends a
> > single-byte
> > > message containing '.' before it calls startSSL. Therefore, I played
> > around
> > > a bit, and modified the echoserver handler to call startSSL when the '.'
> > is
> > > received. Amazingly it works, though I doubt I am doing this correctly.
> > The
> > > modified messageReceived function in EchoProtocolHandler is below:
> > >
> > > <code>
> > >     public void messageReceived(IoSession session, Object message)
> > throws
> > > Exception {
> > >         ...
> > >         ByteBuffer rb = (ByteBuffer) message;
> > >         // if message received is single-byte '.', then reply with '.',
> > and
> > > startSSL.
> > >         if ( rb.remaining() == 1 && rb.get() == '.' )
> > >         {
> > >             ByteBuffer wb = ByteBuffer.allocate(1);
> > >             wb.put((byte)'.');
> > >             wb.flip();
> > >             session.write(wb).join();
> > >
> > >             SSLHandler handler = (SSLHandler)
> > > session.getAttribute(SSLFilter.class.getName() + ".SSLHandler");
> > >             SSLFilter filter = handler.getParent();
> > >             if ( !filter.isSSLStarted(session) )
> > >             {
> > >                 log.info( "Restarting SSL" );
> > >                 filter.startSSL(session);
> > >             }
> > >
> > >             return;
> > >         }
> > >         ...
> > >     }
> > > </code>
> > >
> > > My question is:
> > >
> > > 1) Is this the right way to do things?
> > > 2) If it is correct, do I need the join in 'session.write(wb).join();',
> > or
> > > should I not wait for the join to prevent server from not being able to
> > > properly parse startSSL message from the client?
> > >
> > > Thanks in advanced.
> > >
> > > Regards,
> > >     Kok Hoor
> > >
> > --
> > Trustin Lee - Principal Software Engineer, JBoss, Red Hat
> > --
> > what we call human nature is actually human habit
> > --
> > http://gleamynode.net/
> >
-- 
Trustin Lee - Principal Software Engineer, JBoss, Red Hat
--
what we call human nature is actually human habit
--
http://gleamynode.net/

Mime
View raw message