mina-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <elecha...@gmail.com>
Subject Re: [MINA 3] SSL working session : a feedback
Date Mon, 06 May 2013 08:17:32 GMT
Le 5/6/13 10:05 AM, Jeff MAURY a écrit :
> Emmanuel,
> that's a good resume of what we discussed yesterday but I'd like to add the
> following:
> 1) Events
> The sessionOpened event is generated when the socket is created, should we
> defer it until the handshake is completed ? 

I don't think so. There are cases where we will establish SSL
communication *after* having established the connection. Typically, a
protocol like startTls, which is an applicative protocol, allows an
application to exchange some unencrypted data, and at some point, decide
to switch to an encrypted mode, and potentially back to an unencrypted
mode later.

One good exemple is the LDAP startTls extended operation : when you call
a stopTls, you stop encrypting the data, but the session remains active.

> And as we now support
> rehandshaking, what do we do when the rehandshake is complete ?
We just continue exchanging data using the newly negicated ciphers.

> 2) Processing of messages while in handshake
> When handskake is being processed, the code consider that any data to be
> sent will be directly sent to the socket unencrypted and the reason for
> that is that it consider the data comes from the SSlengine but if the
> application decides to send data at the same time, then I suspect the data
> will be sent unencrypted leading probably to alert being generated on the
> remote side. So I think we probably need a flag (internal ?) on the
> WriteRequest and a package private method for those internal messages
IMO, we should *not* allow the session to send anything as soon as the
handshake has started. Keep in mind that the first step is to create a
SslContext, instanciate a SslEngine which is stored into the session, so
anything being sent should go through the SslEngine. Until the handshake
is processing, we should wait and not send any data.

Emmanuel Lécharny

View raw message