date:20191016

[jira] [Created] (MESOS-10012) Implement SSL socket downgrading on the native Windows SSL socket.

2019-10-16 Thread Joseph Wu (Jira)

Joseph Wu created MESOS-10012:
-

 Summary: Implement SSL socket downgrading on the native Windows 
SSL socket.
 Key: MESOS-10012
 URL: https://issues.apache.org/jira/browse/MESOS-10012
 Project: Mesos
  Issue Type: Task
  Components: libprocess
Reporter: Joseph Wu
Assignee: Joseph Wu


The logic needed to determine whether a connection is SSL or not is already 
established in the libevent SSL socket:
{code}
  // Based on the function 'ssl23_get_client_hello' in openssl, we
  // test whether to dispatch to the SSL or non-SSL based accept based
  // on the following rules:
  //   1. If there are fewer than 3 bytes: non-SSL.
  //   2. If the 1st bit of the 1st byte is set AND the 3rd byte is
  //  equal to SSL2_MT_CLIENT_HELLO: SSL.
  //   3. If the 1st byte is equal to SSL3_RT_HANDSHAKE AND the 2nd
  //  byte is equal to SSL3_VERSION_MAJOR and the 6th byte is
  //  equal to SSL3_MT_CLIENT_HELLO: SSL.
  //   4. Otherwise: non-SSL.

  // For an ascii based protocol to falsely get dispatched to SSL it
  // needs to:
  //   1. Start with an invalid ascii character (0x80).
  //   2. OR have the first 2 characters be a SYN followed by ETX, and
  //  then the 6th character be SOH.
  // These conditions clearly do not constitute valid HTTP requests,
  // and are unlikely to collide with other existing protocols.

  bool ssl = false; // Default to rule 4.

  if (size < 2) { // Rule 1.
ssl = false;
  } else if ((data[0] & 0x80) && data[2] == SSL2_MT_CLIENT_HELLO) { // Rule 2.
ssl = true;
  } else if (data[0] == SSL3_RT_HANDSHAKE &&
 data[1] == SSL3_VERSION_MAJOR &&
 data[5] == SSL3_MT_CLIENT_HELLO) { // Rule 3.
ssl = true;
  }
{code}

This only requires us to peek at the first 6 bytes of data.  One possible 
complication is that Overlapped sockets do not support peeking.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Comment Edited] (MESOS-10010) Implement an SSL socket for Windows, using OpenSSL directly

2019-10-16 Thread Joseph Wu (Jira)



[ 
https://issues.apache.org/jira/browse/MESOS-10010?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16953113#comment-16953113
 ] 

Joseph Wu edited comment on MESOS-10010 at 10/16/19 7:02 PM:
-

Once the BIO (MESOS-10009) is complete, this part will boil down to 
implementing the SSL handshake (i.e. putting {{SSL_do_handshake}} in the right 
places).  I can probably only split out the SSL downgrade feature into a 
separate ticket.


was (Author: kaysoky):
Once the BIO (MESOS-10009) is complete, this part will boil down to 
implementing the SSL handshake.  I can probably only split out the SSL 
downgrade feature into a separate ticket.

> Implement an SSL socket for Windows, using OpenSSL directly
> ---
>
> Key: MESOS-10010
> URL: https://issues.apache.org/jira/browse/MESOS-10010
> Project: Mesos
>  Issue Type: Task
>  Components: libprocess
>Reporter: Joseph Wu
>Assignee: Joseph Wu
>Priority: Major
>  Labels: foundations
>
> {code}
> class WindowsSSLSocketImpl : public SocketImpl
> {
> public:
>   // This will be the entry point for Socket::create(SSL).
>   static Try> create(int_fd s);
>   WindowsSSLSocketImpl(int_fd _s);
>   ~WindowsSSLSocketImpl() override;
>   // Overrides for the 'SocketImpl' interface below.
>   // Unreachable.
>   Future connect(const Address& address) override;
>   // This will initialize SSL objects then call windows::connect()
>   // and chain that onto the appropriate call to SSL_do_handshake.
>   Future connect(
>   const Address& address,
>   const openssl::TLSClientConfig& config) override;
>   // These will call SSL_read or SSL_write as appropriate.
>   // As long as the SSL context is set up correctly, these will be
>   // thin wrappers.  (More details after the code block.)
>   Future recv(char* data, size_t size) override;
>   Future send(const char* data, size_t size) override;
>   Future sendfile(int_fd fd, off_t offset, size_t size) override;
>   // Nothing SSL here, just a plain old listener.
>   Try listen(int backlog) override;
>   // This will initialize SSL objects then call windows::accept()
>   // and then perform handshaking.  Any downgrading will
>   // happen here.  Since we control the event loop, we can
>   // easily peek at the first few bytes to check SSL-ness.
>   Future> accept() override;
>   SocketImpl::Kind kind() const override { return SocketImpl::Kind::SSL; }
> }
> {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (MESOS-10010) Implement an SSL socket for Windows, using OpenSSL directly

2019-10-16 Thread Joseph Wu (Jira)



[ 
https://issues.apache.org/jira/browse/MESOS-10010?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16953113#comment-16953113
 ] 

Joseph Wu commented on MESOS-10010:
---

Once the BIO (MESOS-10009) is complete, this part will boil down to 
implementing the SSL handshake.  I can probably only split out the SSL 
downgrade feature into a separate ticket.

> Implement an SSL socket for Windows, using OpenSSL directly
> ---
>
> Key: MESOS-10010
> URL: https://issues.apache.org/jira/browse/MESOS-10010
> Project: Mesos
>  Issue Type: Task
>  Components: libprocess
>Reporter: Joseph Wu
>Assignee: Joseph Wu
>Priority: Major
>  Labels: foundations
>
> {code}
> class WindowsSSLSocketImpl : public SocketImpl
> {
> public:
>   // This will be the entry point for Socket::create(SSL).
>   static Try> create(int_fd s);
>   WindowsSSLSocketImpl(int_fd _s);
>   ~WindowsSSLSocketImpl() override;
>   // Overrides for the 'SocketImpl' interface below.
>   // Unreachable.
>   Future connect(const Address& address) override;
>   // This will initialize SSL objects then call windows::connect()
>   // and chain that onto the appropriate call to SSL_do_handshake.
>   Future connect(
>   const Address& address,
>   const openssl::TLSClientConfig& config) override;
>   // These will call SSL_read or SSL_write as appropriate.
>   // As long as the SSL context is set up correctly, these will be
>   // thin wrappers.  (More details after the code block.)
>   Future recv(char* data, size_t size) override;
>   Future send(const char* data, size_t size) override;
>   Future sendfile(int_fd fd, off_t offset, size_t size) override;
>   // Nothing SSL here, just a plain old listener.
>   Try listen(int backlog) override;
>   // This will initialize SSL objects then call windows::accept()
>   // and then perform handshaking.  Any downgrading will
>   // happen here.  Since we control the event loop, we can
>   // easily peek at the first few bytes to check SSL-ness.
>   Future> accept() override;
>   SocketImpl::Kind kind() const override { return SocketImpl::Kind::SSL; }
> }
> {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (MESOS-10010) Implement an SSL socket for Windows, using OpenSSL directly

2019-10-16 Thread Greg Mann (Jira)



[ 
https://issues.apache.org/jira/browse/MESOS-10010?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16953103#comment-16953103
 ] 

Greg Mann commented on MESOS-10010:
---

[~kaysoky] I think this should be more fine-grained, will this really complete 
in a single sprint?

> Implement an SSL socket for Windows, using OpenSSL directly
> ---
>
> Key: MESOS-10010
> URL: https://issues.apache.org/jira/browse/MESOS-10010
> Project: Mesos
>  Issue Type: Task
>  Components: libprocess
>Reporter: Joseph Wu
>Assignee: Joseph Wu
>Priority: Major
>  Labels: foundations
>
> {code}
> class WindowsSSLSocketImpl : public SocketImpl
> {
> public:
>   // This will be the entry point for Socket::create(SSL).
>   static Try> create(int_fd s);
>   WindowsSSLSocketImpl(int_fd _s);
>   ~WindowsSSLSocketImpl() override;
>   // Overrides for the 'SocketImpl' interface below.
>   // Unreachable.
>   Future connect(const Address& address) override;
>   // This will initialize SSL objects then call windows::connect()
>   // and chain that onto the appropriate call to SSL_do_handshake.
>   Future connect(
>   const Address& address,
>   const openssl::TLSClientConfig& config) override;
>   // These will call SSL_read or SSL_write as appropriate.
>   // As long as the SSL context is set up correctly, these will be
>   // thin wrappers.  (More details after the code block.)
>   Future recv(char* data, size_t size) override;
>   Future send(const char* data, size_t size) override;
>   Future sendfile(int_fd fd, off_t offset, size_t size) override;
>   // Nothing SSL here, just a plain old listener.
>   Try listen(int backlog) override;
>   // This will initialize SSL objects then call windows::accept()
>   // and then perform handshaking.  Any downgrading will
>   // happen here.  Since we control the event loop, we can
>   // easily peek at the first few bytes to check SSL-ness.
>   Future> accept() override;
>   SocketImpl::Kind kind() const override { return SocketImpl::Kind::SSL; }
> }
> {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (MESOS-10012) Implement SSL socket downgrading on the native Windows SSL socket.

[jira] [Comment Edited] (MESOS-10010) Implement an SSL socket for Windows, using OpenSSL directly

[jira] [Commented] (MESOS-10010) Implement an SSL socket for Windows, using OpenSSL directly

[jira] [Commented] (MESOS-10010) Implement an SSL socket for Windows, using OpenSSL directly

4 matches

Site Navigation

Mail list logo

Footer information