Hi Jonathan,
I think the test makes no sense. This is the reason we have specific
operation such as StartTLS which allow a safe transition from clear text
to crypted text, and back (optionally): the client drives the server
explicitely.
In this test, we assume the server will shutdown the TLS layer if the
client has aborted it. This is a bit far fetched to me.
Side note: in Apache Directory Server, we support StartTLS (it's
mandatory) but we don't support the way back to clear text as soon as
startTLS is terminated. In other words, this is a one way raod: if you
send a startTLS command then the session will be encrypted until it's
clodsed.
So +1 to your decision, and let's @ignore the test.
On 15/01/2022 05:02, Jonathan Valliere wrote:
I checked that test and you are correct it fails. I could easily add
mEngine.isInboundDone() check and bypass decoding and the same for
encoding. However, I pose this question. Should we really support this
behavior in the SSLFilter; couldn't that lead to situations where
someone is expecting an encrypted session without knowing it was
removed? I removed the attribute to enable and disable SSL because that
was inherently insecure and prone to concurrent/race conditions.
The best thing we could probably do is throw Close exceptions when
receiving or writing to the closed SSLFilter.
On Fri, Jan 14, 2022 at 12:30 PM Emmanuel Lécharny <[email protected]
<mailto:[email protected]>> wrote:
Hi Jonathan,
I'm reviewing the SSL code in Mina 2.2 and we have an issue in a
specific use case, ie ConnectorTest.testTCPWithSSL:
- the client establishes a SSL connection
- it sends some data (all is ok)
- the client removes the SSL filter (but keep the connection opened)
- it tries to send clear text messages and the Sslhandler is trying to
uncrypt them
The pb is probably in the test where the server does not remove the
SslFilter from the chain. Note that this test is @disabled in 2.1.X
(and
I'm positive that this test has the same issue in 2.1.X)
I think we either have to fix the test (removing the SslFilter from the
server when we remove it from the client) or @ignore the test.
--
*Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
T. +33 (0)4 89 97 36 50
P. +33 (0)6 08 33 32 61
[email protected] <mailto:[email protected]>
https://www.busit.com/ <https://www.busit.com/>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
<mailto:[email protected]>
For additional commands, e-mail: [email protected]
<mailto:[email protected]>
--
*Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
T. +33 (0)4 89 97 36 50
P. +33 (0)6 08 33 32 61
[email protected] https://www.busit.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
