directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Trustin Lee <trus...@gmail.com>
Subject [mina] SSLFilter race condition: Take #2
Date Wed, 12 Oct 2005 08:46:21 GMT
Hi,

We've discussed about implementing StartTLS using SSLFilter before without
any resolution:

http://www.archivum.info/dev%40directory.apache.org/2005-09/msg00005.html

and here's the related JIRA issue which is marked as a blocker:

http://issues.apache.org/jira/browse/DIRMINA-85

The cause of the problem is that client sends SSL handshake request before
SSLFilter is in action. Possible handler code will look like this:

public void messageReceived(IoSession session, Object message) {
...
if (message instanceof MyStartTLSRequest) {
// insert SSLFilter to start handshaking
session.getFilterChain().addFirst(sslFilter); -- (1)
// write StartTLSResponse
sessios.write(new MyStartTLSResponse(OK)); -- (2)
}
}

(2) won't work as we expected because we've installed SSLFilter at (1).
There should be some way for a developer to send a message bypassing
SSLFilter. Otherwise we need a traffic control mechanism here so that we can
do this in a right order:

public void messageReceived(IoSession session, Object message) {
...
if (message instanceof MyStartTLSRequest) {
// Suspend writing
session.suspendWrite();
// write StartTLSResponse
session.write(new MyStartTLSResponse(OK));
// insert SSLFilter to start handshaking
session.getFilterChain().addFirst(sslFilter);
// now resume writing
session.resumeWrite();
}
}

If we use the first method (bypassing), we could provide a tag interface
called SSLBypassMessage and make MyStartTLSResponse implement it. And then
SSLFilter will detect any messages that should bypass and let it go.

Which way do you prefer to the other?

Trustin
--
what we call human nature is actually human habit
--
http://gleamynode.net/

Mime
View raw message