Hi,
in the past few days - I should rather past few nights actually ;-) - we
were tracking the reason the SslFilterTest was failing in MINA 2.2 in
some specific condition (the client uses TLS 1.2 or lower).
The test is really trying to cover some very corner case:
- we use a Echo Handler, where the messageSent() handler will close the
connection when 2 messages have been sent:
@Override
public void messageSent(IoSession session, Object message)
throws Exception {
sentMessages.add(message.toString());
if (sentMessages.size() >= 2) {
session.closeNow();
}
}
- the client sends a first message:
output.write("test-1\n");
output.flush();
- it reads the response:
assert input.readLine().equals("test-1");
- the client invalidate the SSL session and start a new TLSHandShake:
ss.getSession().invalidate();
ss.startHandshake();
- the client sends a second message:
output.write("test-2\n");
output.flush();
- the server process the handshake, then get the message ("test-2\n"),
then immediately close the connection because it's the second message:
public void messageSent(IoSession session, Object message) throws
Exception {
sentMessages.add(message.toString());
if (sentMessages.size() >= 2) {
session.closeNow();
}
}
- the client tries to read the response:
assert input.readLine().equals("test-2");
At this point, you'll get a failure.
The reason it fails is that when the second message has been sent, the
server has closed the connection brutally (by closing the Channel),
leaving the client with a closed connection. and no data to be read.
There is a kind of race condition where the second response has been
fully encoded, and pushed into the socket, on the server side,
immediately followed by the channel closure. The client might not have
had the time to read anything before the channel has been closed (to be
double checked).
Anyway, the discussion ended on the following concensus:
- This test will no remain as is
- The renegociation is not any more accepted in TLS 1.3, for very good
reason (https://fr.slideshare.net/ThierryZoller/practicaltls1)
- It has also been disabled by default by Oracle
(https://www.oracle.com/java/technologies/javase/tlsreadme.html)
thus the test will be @Ignored with no attempt to fix the SslFilter
implemented logic.
Thanks !
--
*Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
T. +33 (0)4 89 97 36 50
P. +33 (0)6 08 33 32 61
[email protected] https://www.busit.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
