mina-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff MAURY <jeffma...@jeffmaury.com>
Subject Re: SSL/TLS missing methods in MINA 3
Date Mon, 05 May 2014 08:38:41 GMT
I'm with you for adding methods. BTW, I also suggested to add events
related to secure connections.
I'm not sure using TLS suffix is that good as our impl will not be
restricted to TLS.

Jeff


On Sun, May 4, 2014 at 11:20 AM, Emmanuel L├ęcharny <elecharny@gmail.com>wrote:

> Hi guys,
>
> I'm currently reviewing the SSL/TLS implementation in MINA 3. Currently,
> we only support the opening of a SSL session.
>
> If you look at the IoSession interface, this is all what we have :
>
> IoSession.initSecure(). This method is creating a SslHelper instance,
> and stores it into the session attributes.
>
> This is clarly not enough.
>
> We need to implement at least two other methods :
>
> - IoSession.stopSecure() should be added. It will switch from a SSL
> session to a clear session (mandatory for stopping a TLS session,
> without closing the connection)
> - IoSession.rehandshake() should be added
>
> The first method is critical, as teh startTLS implementation requires
> that you should be able to use a port, switch to a secure protocol using
> the same port, and switch back to a clear protocol, without closing the
> connection. This is what we have in LDAP, SMTP, IMAP/POP3, FTP, XMPP,
> NNTP...
>
> I have no idea (yet) on how to implemnt that.
>
> We already discussed the rehandshake feature lately.
>
> Two minors things :
> 1) initSecure, which creates the SslHelper instance, is created every
> time we call the initSecure() method, which is done solely when we
> create the session. This is bad. We need to expose this method to the
> client and server, as we may want to initiate a secure communication at
> any time (typically, when the client sens a startTLS request and the
> server receives it).
> 2) I wonder if we should not use better names. startTls, stopTls,
> rehandshakeTls, for instance. First, it's clearer (and fits point 1),
> and second, SSL ha sbeen replaced by TLS a long time ago.
>
> wdyt ?
>
> --
> Regards,
> Cordialement,
> Emmanuel L├ęcharny
> www.iktek.com
>
>


-- 
Jeff MAURY


"Legacy code" often differs from its suggested alternative by actually
working and scaling.
 - Bjarne Stroustrup

http://www.jeffmaury.com
http://riadiscuss.jeffmaury.com
http://www.twitter.com/jeffmaury

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message