What if the server is sending encrypted responses and the client sends a close command. If we allowed continued writing in clear text on the server, we could end up exposing data the sender thought was encrypted.
On Fri, Jan 14, 2022 at 11:02 PM Jonathan Valliere <[email protected]> wrote: > I checked that test and you are correct it fails. I could easily add > mEngine.isInboundDone() check and bypass decoding and the same for > encoding. However, I pose this question. Should we really support this > behavior in the SSLFilter; couldn't that lead to situations where someone > is expecting an encrypted session without knowing it was removed? I > removed the attribute to enable and disable SSL because that was inherently > insecure and prone to concurrent/race conditions. > > The best thing we could probably do is throw Close exceptions when > receiving or writing to the closed SSLFilter. > > On Fri, Jan 14, 2022 at 12:30 PM Emmanuel Lécharny <[email protected]> > wrote: > >> Hi Jonathan, >> >> I'm reviewing the SSL code in Mina 2.2 and we have an issue in a >> specific use case, ie ConnectorTest.testTCPWithSSL: >> - the client establishes a SSL connection >> - it sends some data (all is ok) >> - the client removes the SSL filter (but keep the connection opened) >> - it tries to send clear text messages and the Sslhandler is trying to >> uncrypt them >> >> The pb is probably in the test where the server does not remove the >> SslFilter from the chain. Note that this test is @disabled in 2.1.X (and >> I'm positive that this test has the same issue in 2.1.X) >> >> I think we either have to fix the test (removing the SslFilter from the >> server when we remove it from the client) or @ignore the test. >> -- >> *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE >> T. +33 (0)4 89 97 36 50 >> P. +33 (0)6 08 33 32 61 >> [email protected] https://www.busit.com/ >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> >>
