Doesn't the DisableEncryptionWriteRequest get you where you need to go?
Just wrap the startTLS message and pass upstream into the SSLFilter.
On Mon, Jan 17, 2022 at 10:11 PM Emmanuel Lécharny <elecha...@gmail.com>
wrote:
>
>
> On 17/01/2022 17:13, Jonathan Valliere wrote:
> > Shouldn’t Directory be able to configure and add the SSLFiler on demand?
>
> Yes, this is done when it receives a startTLS request.
>
> There is a trick though: When the server receives the request, it should
> establish the SSL layer, then send back the StartTLS response *in clear*
> for the client to start the HS when it receives the response. This is
> the reason we added the DISBALED_ENCRYPPTIPN_ONCE attributeKey in MINA:
>
> /**
> * A session attribute key that makes next one write request bypass
> * this filter (not encrypting the data). This is a marker attribute,
> * which means that you can put whatever as its value. ({@link
> Boolean#TRUE}
> * is preferred.) The attribute is automatically removed from the
> session
> * attribute map as soon as {@link IoSession#write(Object)} is
> invoked,
> * and therefore should be put again if you want to make more messages
> * bypass this filter. This is especially useful when you implement
> * StartTLS.
> */
> public static final AttributeKey DISABLE_ENCRYPTION_ONCE = new
> AttributeKey(SslFilter.class, "disableOnce");
>
> Without this flag, we would have potentially faced a race condition
> where we could send the startTLS response * before having established
> fully the SslFilter, and the client would then start the HS before the
> server is ready to process it.
>
> To summarize:
>
> C ---> startTLS request ---> S
> <establishing the SSL layer>
> <send the startTLS response *in clear*>
> C <--- startTLS response <-- S
> .
> .
> .
> C ---> TLS ClientHELLO --> S
> <Handshake processing>
> ...
>
>
> As you can see, the way LDAP protocol works make it necessary for MINA
> to be tweaked this way.
>
>
> >
> > It will setup and attempt to start the moment it’s added on the server
> > filterchain.
> >
> > On Mon, Jan 17, 2022 at 11:10 AM Emmanuel Lécharny <elecha...@gmail.com
> > <mailto:elecha...@gmail.com>> wrote:
> >
> >
> >
> > On 17/01/2022 16:48, Jonathan Valliere wrote:
> > > I think that piece of code is trying to move the concern of
> > configuring
> > > the SSL into a place which doesn’t have enough information about
> the
> > > state. The Ciphers can be set when the Filter is created. If a
> > special
> > > workflow is needed, you can always extend SSLFilter now which has
> > > convenient override handlers.
> >
> > Well, I don't think it's necessary in this case.
> >
> > What we need in LDAP Server is the possibility, on demand, to
> establish
> > a crypted session. That means the previous communication was in
> clear,
> > and we ask the server to be ready to handle a HS.
> >
> > That is as simple.
> >
> > Note that in Apache Directory server we have the possibility to
> define
> > the ciphers per configuration, and this is taken into account in the
> > first part of the 'if'.
> >
> > I question the second part as it seems to violate the (LDAP
> > StartTLS) RFC.
> >
> > So bottom line, it's not a MINA issue, but rather a Directory one.
> >
> > --
> > Emmanuel Lécharny
> >
> > --
> > CONFIDENTIALITY NOTICE: The contents of this email message and any
> > attachments are intended solely for the addressee(s) and may contain
> > confidential and/or privileged information and may be legally protected
> > from disclosure.
>
> --
> *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
> T. +33 (0)4 89 97 36 50
> P. +33 (0)6 08 33 32 61
> emmanuel.lecha...@busit.com https://www.busit.com/
>
