On 17/01/2022 17:13, Jonathan Valliere wrote:
Shouldn’t Directory be able to configure and add the SSLFiler on demand?
Yes, this is done when it receives a startTLS request.
There is a trick though: When the server receives the request, it should
establish the SSL layer, then send back the StartTLS response *in clear*
for the client to start the HS when it receives the response. This is
the reason we added the DISBALED_ENCRYPPTIPN_ONCE attributeKey in MINA:
/**
* A session attribute key that makes next one write request bypass
* this filter (not encrypting the data). This is a marker attribute,
* which means that you can put whatever as its value. ({@link
Boolean#TRUE}
* is preferred.) The attribute is automatically removed from the
session
* attribute map as soon as {@link IoSession#write(Object)} is invoked,
* and therefore should be put again if you want to make more messages
* bypass this filter. This is especially useful when you implement
* StartTLS.
*/
public static final AttributeKey DISABLE_ENCRYPTION_ONCE = new
AttributeKey(SslFilter.class, "disableOnce");
Without this flag, we would have potentially faced a race condition
where we could send the startTLS response * before having established
fully the SslFilter, and the client would then start the HS before the
server is ready to process it.
To summarize:
C ---> startTLS request ---> S
<establishing the SSL layer>
<send the startTLS response *in clear*>
C <--- startTLS response <-- S
.
.
.
C ---> TLS ClientHELLO --> S
<Handshake processing>
...
As you can see, the way LDAP protocol works make it necessary for MINA
to be tweaked this way.
It will setup and attempt to start the moment it’s added on the server
filterchain.
On Mon, Jan 17, 2022 at 11:10 AM Emmanuel Lécharny <elecha...@gmail.com
<mailto:elecha...@gmail.com>> wrote:
On 17/01/2022 16:48, Jonathan Valliere wrote:
> I think that piece of code is trying to move the concern of
configuring
> the SSL into a place which doesn’t have enough information about the
> state. The Ciphers can be set when the Filter is created. If a
special
> workflow is needed, you can always extend SSLFilter now which has
> convenient override handlers.
Well, I don't think it's necessary in this case.
What we need in LDAP Server is the possibility, on demand, to establish
a crypted session. That means the previous communication was in clear,
and we ask the server to be ready to handle a HS.
That is as simple.
Note that in Apache Directory server we have the possibility to define
the ciphers per configuration, and this is taken into account in the
first part of the 'if'.
I question the second part as it seems to violate the (LDAP
StartTLS) RFC.
So bottom line, it's not a MINA issue, but rather a Directory one.
--
Emmanuel Lécharny
--
CONFIDENTIALITY NOTICE: The contents of this email message and any
attachments are intended solely for the addressee(s) and may contain
confidential and/or privileged information and may be legally protected
from disclosure.
--
*Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
T. +33 (0)4 89 97 36 50
P. +33 (0)6 08 33 32 61
emmanuel.lecha...@busit.com https://www.busit.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org
