I would have thought the reason SSL Filter needs to be before Proxy is
because the SSL handshaking from the client side would get proxied away
from the SSL Filter.
On Wed, Feb 10, 2016 at 12:57 PM, Emmanuel Lécharny <elecha...@gmail.com>
wrote:
> Le 10/02/16 18:16, Norbert Irmer a écrit :
> >> Ok, but you can insert teh SslFilter *before* the proxyFilter. Once you
> >> get the ProxyConnector instance, get the connector and do :
> >
> > Well, I am using a patched QuickFixJ version, in which the control flow
> is a bit different.
> >
> > Here is an excerpt from the code they are using:
> >
> >
> > CompositeIoFilterChainBuilder ioFilterChainBuilder = new
> CompositeIoFilterChainBuilder(
> > userIoFilterChainBuilder);
> >
> > boolean useProxy = proxyType != null && proxyPort > 0 &&
> > socketAddresses[0] instanceof
> InetSocketAddress;
> >
> >
> > SslFilter sslFilter = null;
> > if (sslEnabled) {
> > boolean autoStart = !useProxy;
> > sslFilter = installSslFilter(ioFilterChainBuilder,
> autoStart);
> > }
> >
> >
> ioFilterChainBuilder.addLast(FIXProtocolCodecFactory.FILTER_NAME,
> > new ProtocolCodecFilter(new
> FIXProtocolCodecFactory()));
> >
> > if (useProxy) {
> > SocketConnector socketConnector = new
> NioSocketConnector();
> >
> socketConnector.setFilterChainBuilder(ioFilterChainBuilder);
> > ioConnector = ProtocolFactory.createIoProxyConnector(
> socketConnector,
> > (InetSocketAddress) socketAddresses[0], new
> InetSocketAddress(proxyHost,
> > proxyPort), proxyType, proxyVersion,
> proxyUser, proxyPassword,
> > proxyDomain, proxyWorkstation);
> > } else {
> > ioConnector =
> ProtocolFactory.createIoConnector(socketAddresses[0]);
> > ioConnector.setFilterChainBuilder(ioFilterChainBuilder);
> > }
> >
> > ioHandler = new InitiatorIoHandler(fixSession, sslFilter,
> networkingOptions, eventHandlingStrategy);
> > }
> >
> > private SslFilter installSslFilter(CompositeIoFilterChainBuilder
> ioFilterChainBuilder,
> > boolean autoStart)
> > throws GeneralSecurityException {
> > SslFilter sslFilter = new
> SslFilter(SSLContextFactory.getInstance(keyStoreName,
> > keyStorePassword.toCharArray()), autoStart);
> > if (enableProtocole != null)
> > sslFilter.setEnabledProtocols(enableProtocole);
> > if (cipherSuites != null)
> > sslFilter.setEnabledCipherSuites(cipherSuites);
> > sslFilter.setUseClientMode(true);
> > ioFilterChainBuilder.addLast(SSLSupport.FILTER_NAME,
> sslFilter);
> > return sslFilter;
> > }
> >
> >
> > Sure, with a lot of time, I could possibly rewrite the code, to swap the
> positions of the filters in the filterchain.
> >
> > But I see little sense in it, since the code is working. The only
> problem I have, is that I get this deadlock after a few minutes or so.
> How can you say the code is working when you get a deadlock ?
>
> As Jon said, having the ProcyFilter *before* the SSLFilter in the chain
> is not the right thing. The reason being that you may perfectly get
> fragmented TCP buffers, and the proxy might not be able to deal with
> de-fragmentation when it comes to encrypted data.
>
> I suggest that you patch teh code to first call the installSslFilter
> method after the proxy has been created, and in the
> installSslFiltermethod, use addFirst() instead of addLast().
>
> Otherwise, you can also check with the latest trunk revision I built
> today to see if it's any better (on http://people.apache.org/~elecharny)
>
>
