RE: SSLFilter - Restarting using startSSL

Wed, 20 Feb 2008 10:21:34 -0800 

Hi,

    So, we need to call startSSL both at the client and the server? Does it
matter which one gets started first?

    Just to clarify, ConnectorTest fails if I connect to echoserver as the
Server without any code change. Only works when I modified echoserver to do
a startSSL upon accepting the '.' used as initiation of SSL.

Regards,
    Kok Hoor

-----Original Message-----
From: 이희승 (Trustin Lee) [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, February 20, 2008 7:30 PM
To: [email protected]
Subject: Re: SSLFilter - Restarting using startSSL

Hi Chew,

I am a little bit confused.  Do you mean that ConnectorTest fails?

One more information that might help you is that SSLFilter is deactivated
completely once SSL session ends.  Therefore, you need to call
startSSL(...) explicitly so it becomes ready to receive the handshake
request.  Please take a look at the 'AbstractTest.java' which is extended
by 'ConnectorTest.java'.

Please take a look into AbstractTest$EchoProtocolHandler
$messageReceived(...).

HTH,

2008-02-20 (수), 10:43 +0800, Chew Kok Hoor 쓰시길:
> Hi Trustin,
> 
>     I know what you mean. But my point is when I use ConnectorTest 
> (SSL
> Client) to connect to the echoserver (SSL Server), and when 
> ConnectorTest does a startSSL, SSL Client will throw an exception '
> javax.net.ssl.SSLProtocolException:Illegal client handshake msg, 1'.
> 
>     However, if, upon detecting the client SSL handshake message, say 
> '.' in your example, and then the echoserver calls startSSL as well, it
works.
> 
>     Is this the right way to do things? That both party must call
startSSL.
> 
> Regards,
>     Kok Hoor
> 
> On Feb 20, 2008 10:36 AM, 이희승 (Trustin Lee) <[EMAIL PROTECTED]> wrote:
> 
> > StartTLS is a general mechanism that allows you to (re)initiate an 
> > SSL session.  There's no standard in how we initiate an SSL session 
> > in StartTLS, but the following is typical:
> >
> > * Client asks for an SSL session to the server (plain text message)
> > * Server prepares for an SSL session and respond to the client that 
> > it's ready (plain text message)
> > * Client initiates an SSL session (SSL part from here...)
> >
> > So.. you need to have some agreement on what message to exchange 
> > between the client and the server to initiate an SSL session.  In 
> > the ConnectorTest, I used '.' as the initiation request message, and 
> > I think you will want something more meaningful instead of '.'.
> >
> > HTH,
> > Trustin
> >
> > 2008-02-19 (화), 23:38 +0800, Kok Hoor (GMail) 쓰시길:
> > > Hi all,
> > >
> > >     I am using Mina 1.1.6 (downloaded the binary release, I don't 
> > > Maven
> > too
> > > well), and am using 
> > > org.apache.mina.example.echoserver.ConnectorTest to connect to the
echo server, both setup using SSL.
> > >
> > > I have noticed however, in the ConnectorTest.java, the following 
> > > restart
> > SSL
> > > fails:
> > >
> > >     connectorSSLFilter.startSSL(session);
> > >
> > > As it will cause an 'javax.net.ssl.SSLProtocolException:Illegal 
> > > client handshake msg, 1' exception to be thrown.
> > >
> > > I looked around the ConnectorTest and discovered that it sends a
> > single-byte
> > > message containing '.' before it calls startSSL. Therefore, I 
> > > played
> > around
> > > a bit, and modified the echoserver handler to call startSSL when the
'.'
> > is
> > > received. Amazingly it works, though I doubt I am doing this
correctly.
> > The
> > > modified messageReceived function in EchoProtocolHandler is below:
> > >
> > > <code>
> > >     public void messageReceived(IoSession session, Object message)
> > throws
> > > Exception {
> > >         ...
> > >         ByteBuffer rb = (ByteBuffer) message;
> > >         // if message received is single-byte '.', then reply with 
> > > '.',
> > and
> > > startSSL.
> > >         if ( rb.remaining() == 1 && rb.get() == '.' )
> > >         {
> > >             ByteBuffer wb = ByteBuffer.allocate(1);
> > >             wb.put((byte)'.');
> > >             wb.flip();
> > >             session.write(wb).join();
> > >
> > >             SSLHandler handler = (SSLHandler)
> > > session.getAttribute(SSLFilter.class.getName() + ".SSLHandler");
> > >             SSLFilter filter = handler.getParent();
> > >             if ( !filter.isSSLStarted(session) )
> > >             {
> > >                 log.info( "Restarting SSL" );
> > >                 filter.startSSL(session);
> > >             }
> > >
> > >             return;
> > >         }
> > >         ...
> > >     }
> > > </code>
> > >
> > > My question is:
> > >
> > > 1) Is this the right way to do things?
> > > 2) If it is correct, do I need the join in 
> > > 'session.write(wb).join();',
> > or
> > > should I not wait for the join to prevent server from not being 
> > > able to properly parse startSSL message from the client?
> > >
> > > Thanks in advanced.
> > >
> > > Regards,
> > >     Kok Hoor
> > >
> > --
> > Trustin Lee - Principal Software Engineer, JBoss, Red Hat
> > --
> > what we call human nature is actually human habit
> > --
> > http://gleamynode.net/
> >
--
Trustin Lee - Principal Software Engineer, JBoss, Red Hat
--
what we call human nature is actually human habit
--
http://gleamynode.net/

Reply via email to