mina-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chew Kok Hoor" <kokh...@gmail.com>
Subject Re: SSLFilter - Restarting using startSSL
Date Wed, 20 Feb 2008 02:43:34 GMT
Hi Trustin,

    I know what you mean. But my point is when I use ConnectorTest (SSL
Client) to connect to the echoserver (SSL Server), and when ConnectorTest
does a startSSL, SSL Client will throw an exception '
javax.net.ssl.SSLProtocolException:Illegal client handshake msg, 1'.

    However, if, upon detecting the client SSL handshake message, say '.' in
your example, and then the echoserver calls startSSL as well, it works.

    Is this the right way to do things? That both party must call startSSL.

Regards,
    Kok Hoor

On Feb 20, 2008 10:36 AM, 이희승 (Trustin Lee) <trustin@gmail.com> wrote:

> StartTLS is a general mechanism that allows you to (re)initiate an SSL
> session.  There's no standard in how we initiate an SSL session in
> StartTLS, but the following is typical:
>
> * Client asks for an SSL session to the server (plain text message)
> * Server prepares for an SSL session and respond to the client that it's
> ready (plain text message)
> * Client initiates an SSL session (SSL part from here...)
>
> So.. you need to have some agreement on what message to exchange between
> the client and the server to initiate an SSL session.  In the
> ConnectorTest, I used '.' as the initiation request message, and I think
> you will want something more meaningful instead of '.'.
>
> HTH,
> Trustin
>
> 2008-02-19 (화), 23:38 +0800, Kok Hoor (GMail) 쓰시길:
> > Hi all,
> >
> >     I am using Mina 1.1.6 (downloaded the binary release, I don't Maven
> too
> > well), and am using org.apache.mina.example.echoserver.ConnectorTest to
> > connect to the echo server, both setup using SSL.
> >
> > I have noticed however, in the ConnectorTest.java, the following restart
> SSL
> > fails:
> >
> >     connectorSSLFilter.startSSL(session);
> >
> > As it will cause an 'javax.net.ssl.SSLProtocolException:Illegal client
> > handshake msg, 1' exception to be thrown.
> >
> > I looked around the ConnectorTest and discovered that it sends a
> single-byte
> > message containing '.' before it calls startSSL. Therefore, I played
> around
> > a bit, and modified the echoserver handler to call startSSL when the '.'
> is
> > received. Amazingly it works, though I doubt I am doing this correctly.
> The
> > modified messageReceived function in EchoProtocolHandler is below:
> >
> > <code>
> >     public void messageReceived(IoSession session, Object message)
> throws
> > Exception {
> >         ...
> >         ByteBuffer rb = (ByteBuffer) message;
> >         // if message received is single-byte '.', then reply with '.',
> and
> > startSSL.
> >         if ( rb.remaining() == 1 && rb.get() == '.' )
> >         {
> >             ByteBuffer wb = ByteBuffer.allocate(1);
> >             wb.put((byte)'.');
> >             wb.flip();
> >             session.write(wb).join();
> >
> >             SSLHandler handler = (SSLHandler)
> > session.getAttribute(SSLFilter.class.getName() + ".SSLHandler");
> >             SSLFilter filter = handler.getParent();
> >             if ( !filter.isSSLStarted(session) )
> >             {
> >                 log.info( "Restarting SSL" );
> >                 filter.startSSL(session);
> >             }
> >
> >             return;
> >         }
> >         ...
> >     }
> > </code>
> >
> > My question is:
> >
> > 1) Is this the right way to do things?
> > 2) If it is correct, do I need the join in 'session.write(wb).join();',
> or
> > should I not wait for the join to prevent server from not being able to
> > properly parse startSSL message from the client?
> >
> > Thanks in advanced.
> >
> > Regards,
> >     Kok Hoor
> >
> --
> Trustin Lee - Principal Software Engineer, JBoss, Red Hat
> --
> what we call human nature is actually human habit
> --
> http://gleamynode.net/
>
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message