Doesn't the DisableEncryptionWriteRequest get you where you need to go? Just wrap the startTLS message and pass upstream into the SSLFilter.
On Mon, Jan 17, 2022 at 10:11 PM Emmanuel Lécharny <elecha...@gmail.com> wrote: > > > On 17/01/2022 17:13, Jonathan Valliere wrote: > > Shouldn’t Directory be able to configure and add the SSLFiler on demand? > > Yes, this is done when it receives a startTLS request. > > There is a trick though: When the server receives the request, it should > establish the SSL layer, then send back the StartTLS response *in clear* > for the client to start the HS when it receives the response. This is > the reason we added the DISBALED_ENCRYPPTIPN_ONCE attributeKey in MINA: > > /** > * A session attribute key that makes next one write request bypass > * this filter (not encrypting the data). This is a marker attribute, > * which means that you can put whatever as its value. ({@link > Boolean#TRUE} > * is preferred.) The attribute is automatically removed from the > session > * attribute map as soon as {@link IoSession#write(Object)} is > invoked, > * and therefore should be put again if you want to make more messages > * bypass this filter. This is especially useful when you implement > * StartTLS. > */ > public static final AttributeKey DISABLE_ENCRYPTION_ONCE = new > AttributeKey(SslFilter.class, "disableOnce"); > > Without this flag, we would have potentially faced a race condition > where we could send the startTLS response * before having established > fully the SslFilter, and the client would then start the HS before the > server is ready to process it. > > To summarize: > > C ---> startTLS request ---> S > <establishing the SSL layer> > <send the startTLS response *in clear*> > C <--- startTLS response <-- S > . > . > . > C ---> TLS ClientHELLO --> S > <Handshake processing> > ... > > > As you can see, the way LDAP protocol works make it necessary for MINA > to be tweaked this way. > > > > > > It will setup and attempt to start the moment it’s added on the server > > filterchain. > > > > On Mon, Jan 17, 2022 at 11:10 AM Emmanuel Lécharny <elecha...@gmail.com > > <mailto:elecha...@gmail.com>> wrote: > > > > > > > > On 17/01/2022 16:48, Jonathan Valliere wrote: > > > I think that piece of code is trying to move the concern of > > configuring > > > the SSL into a place which doesn’t have enough information about > the > > > state. The Ciphers can be set when the Filter is created. If a > > special > > > workflow is needed, you can always extend SSLFilter now which has > > > convenient override handlers. > > > > Well, I don't think it's necessary in this case. > > > > What we need in LDAP Server is the possibility, on demand, to > establish > > a crypted session. That means the previous communication was in > clear, > > and we ask the server to be ready to handle a HS. > > > > That is as simple. > > > > Note that in Apache Directory server we have the possibility to > define > > the ciphers per configuration, and this is taken into account in the > > first part of the 'if'. > > > > I question the second part as it seems to violate the (LDAP > > StartTLS) RFC. > > > > So bottom line, it's not a MINA issue, but rather a Directory one. > > > > -- > > Emmanuel Lécharny > > > > -- > > CONFIDENTIALITY NOTICE: The contents of this email message and any > > attachments are intended solely for the addressee(s) and may contain > > confidential and/or privileged information and may be legally protected > > from disclosure. > > -- > *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE > T. +33 (0)4 89 97 36 50 > P. +33 (0)6 08 33 32 61 > emmanuel.lecha...@busit.com https://www.busit.com/ >