mesos-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joseph Wu (Jira)" <j...@apache.org>
Subject [jira] [Deleted] (MESOS-10012) Implement SSL socket downgrading on the native Windows SSL socket.
Date Thu, 23 Jan 2020 17:03:00 GMT

     [ https://issues.apache.org/jira/browse/MESOS-10012?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Joseph Wu deleted MESOS-10012:
------------------------------


> Implement SSL socket downgrading on the native Windows SSL socket.
> ------------------------------------------------------------------
>
>                 Key: MESOS-10012
>                 URL: https://issues.apache.org/jira/browse/MESOS-10012
>             Project: Mesos
>          Issue Type: Task
>            Reporter: Joseph Wu
>            Assignee: Joseph Wu
>            Priority: Minor
>              Labels: foundations
>
> The logic needed to determine whether a connection is SSL or not is already established
in the libevent SSL socket:
> {code}
>   // Based on the function 'ssl23_get_client_hello' in openssl, we
>   // test whether to dispatch to the SSL or non-SSL based accept based
>   // on the following rules:
>   //   1. If there are fewer than 3 bytes: non-SSL.
>   //   2. If the 1st bit of the 1st byte is set AND the 3rd byte is
>   //          equal to SSL2_MT_CLIENT_HELLO: SSL.
>   //   3. If the 1st byte is equal to SSL3_RT_HANDSHAKE AND the 2nd
>   //      byte is equal to SSL3_VERSION_MAJOR and the 6th byte is
>   //      equal to SSL3_MT_CLIENT_HELLO: SSL.
>   //   4. Otherwise: non-SSL.
>   // For an ascii based protocol to falsely get dispatched to SSL it
>   // needs to:
>   //   1. Start with an invalid ascii character (0x80).
>   //   2. OR have the first 2 characters be a SYN followed by ETX, and
>   //          then the 6th character be SOH.
>   // These conditions clearly do not constitute valid HTTP requests,
>   // and are unlikely to collide with other existing protocols.
>   bool ssl = false; // Default to rule 4.
>   if (size < 2) { // Rule 1.
>     ssl = false;
>   } else if ((data[0] & 0x80) && data[2] == SSL2_MT_CLIENT_HELLO) { // Rule
2.
>     ssl = true;
>   } else if (data[0] == SSL3_RT_HANDSHAKE &&
>              data[1] == SSL3_VERSION_MAJOR &&
>              data[5] == SSL3_MT_CLIENT_HELLO) { // Rule 3.
>     ssl = true;
>   }
> {code}
> This only requires us to peek at the first 6 bytes of data.  One possible complication
is that Overlapped sockets do not support peeking.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message