| <!DOCTYPE html>
|
|
|
| <html lang="en">
|
| <head>
|
| <title>SSL/TLS internals — Apache MINA</title>
|
|
|
| <link href="/assets/css/common.css" rel="stylesheet" type="text/css"/>
|
| <link href="/assets/css/mina.css" rel="stylesheet" type="text/css"/>
|
| </head>
|
| <body>
|
| <script src="https://www.apachecon.com/event-images/snippet.js"></script>
|
| <div id="container">
|
| <div id="header">
|
| <div id="subProjectsNavBar">
|
| <a href="/">
|
|
|
| Apache MINA Project
|
|
|
| </a>
|
| |
|
| <a href="/mina-project/">
|
|
|
| <strong>MINA</strong>
|
|
|
| </a>
|
| |
|
| <a href="/asyncweb-project/">
|
|
|
| AsyncWeb
|
|
|
| </a>
|
| |
|
| <a href="/ftpserver-project/">
|
|
|
| FtpServer
|
|
|
| </a>
|
| |
|
| <a href="/sshd-project/">
|
|
|
| SSHD
|
|
|
| </a>
|
| |
|
| <a href="/vysper-project/">
|
|
|
| Vysper
|
|
|
| </a>
|
| </div>
|
| </div>
|
|
|
|
|
| <div id="content">
|
| <div id="leftColumn">
|
| <div id="navigation">
|
| <a class="acevent" data-format="wide" data-width="170"></a>
|
| <h5>Social Networks</h5>
|
| <ul>
|
| <li><a href="https://fosstodon.org/@apachemina">Apache MINA Mastodon</a></li>
|
| </ul>
|
| <h5>Latest Downloads</h5>
|
| <ul>
|
| <li><a href="/mina-project/downloads_2_0.html">Mina 2.0.25</a></li>
|
| <li><a href="/mina-project/downloads_2_1.html">Mina 2.1.8</a></li>
|
| <li><a href="/mina-project/downloads_2_2.html">Mina 2.2.3</a></li>
|
| <li><a href="/mina-project/downloads_old.html">Mina old versions</a></li>
|
| </ul>
|
| <h5>Documentation</h5>
|
| <ul>
|
| <li><a href="/mina-project/documentation.html" class="external-link" rel="nofollow">Base documentation</a></li>
|
| <li><a href="/mina-project/userguide/user-guide-toc.html" class="external-link" rel="nofollow">User guide</a></li>
|
| <li><a href="/mina-project/2.2-vs-2.1.html" class="external-link" rel="nofollow">2.2 vs 2.1</a></li>
|
| <li><a href="/mina-project/2.1-vs-2.0.html" class="external-link" rel="nofollow">2.1 vs 2.0</a></li>
|
| <li><a href="/mina-project/features.html" class="external-link" rel="nofollow">Features</a></li>
|
| <li><a href="/mina-project/road-map.html" class="external-link" rel="nofollow">Road Map</a></li>
|
| <li><a href="/mina-project/quick-start-guide.html" class="external-link" rel="nofollow">Quick Start Guide</a></li>
|
| <li><a href="/mina-project/faq.html" class="external-link" rel="nofollow">FAQ</a></li>
|
| </ul>
|
| <h5>Resources</h5>
|
| <ul>
|
| <li><a href="/mina-project/mailing-lists.html" class="external-link" rel="nofollow">Mailing lists & IRC</a></li>
|
| <li><a href="/mina-project/issue-tracking.html" class="external-link" rel="nofollow">Issue tracking</a></li>
|
| <li><a href="/mina-project/sources.html" class="external-link" rel="nofollow">Sources</a></li>
|
| <li><a href="/mina-project/gen-docs/latest-2.0/apidocs/index.html" class="external-link" rel="nofollow">API Javadoc 2.0.25</a></li>
|
| <li><a href="/mina-project/gen-docs/latest-2.1/apidocs/index.html" class="external-link" rel="nofollow">API Javadoc 2.1.8</a></li>
|
| <li><a href="/mina-project/gen-docs/latest-2.2/apidocs/index.html" class="external-link" rel="nofollow">API Javadoc 2.2.3</a></li>
|
| <li><a href="/mina-project/gen-docs/latest-2.0/xref/index.html" class="external-link" rel="nofollow">API xref 2.0.25</a></li>
|
| <li><a href="/mina-project/gen-docs/latest-2.1/xref/index.html" class="external-link" rel="nofollow">API xref 2.1.8</a></li>
|
| <li><a href="/mina-project/gen-docs/latest-2.2/xref/index.html" class="external-link" rel="nofollow">API xref 2.2.3</a></li>
|
| <li><a href="/mina-project/performances.html" class="external-link" rel="nofollow">Performances</a></li>
|
| <li><a href="/mina-project/testimonials.html" class="external-link" rel="nofollow">Testimonials</a></li>
|
| <li><a href="/mina-project/conferences.html" class="external-link" rel="nofollow">Conferences</a></li>
|
| <li><a href="/mina-project/developer-guide.html" class="external-link" rel="nofollow">Developers Guide</a></li>
|
| <li><a href="/mina-project/related-projects.html" class="external-link" rel="nofollow">Related Projects</a></li>
|
| <li><a href="https://people.apache.org/~vgritsenko/stats/projects/mina.html" class="external-link" rel="nofollow">Statistics</a></li>
|
| </ul>
|
|
|
| <h5>Community</h5>
|
| <ul>
|
| <li><a href="https://www.apache.org/foundation/contributing.html" class="external-link" rel="nofollow">Contributing</a></li>
|
| <li><a href="/contributors.html" class="external-link" rel="nofollow">Team</a></li>
|
| <li><a href="/special-thanks.html" class="external-link" rel="nofollow">Special Thanks</a></li>
|
| <li><a href="https://www.apache.org/security/" class="external-link" rel="nofollow">Security</a></li>
|
| </ul>
|
|
|
| <h5>About Apache</h5>
|
| <ul>
|
| <li><a href="https://www.apache.org" class="external-link" rel="nofollow">Apache main site</a></li>
|
| <li><a href="https://www.apache.org/licenses/" class="external-link" rel="nofollow">License</a></li>
|
| <li><a href="https://www.apache.org/foundation/sponsorship.html" title="The ASF sponsorship program" class="external-link" rel="nofollow">Sponsorship program</a></li>
|
| <li><a href="https://www.apache.org/foundation/thanks.html" class="external-link" rel="nofollow">Thanks</a></li>
|
| </ul>
|
|
|
| <h3><a name="Navigation-Upcoming"></a>Upcoming</h3>
|
| <ul>
|
| <li>No event</li>
|
| </ul>
|
| </div>
|
| </div>
|
| <div id="rightColumn">
|
|
|
|
|
| |
| <h1 id="ssltls-internals">SSL/TLS internals</h1> |
| <p>This is a technical description of how SSL/TLS are handled in MINA. You don’t need to read this to have it working, better have a look at the <a href="../userguide/ch11-ss-filter/ch11-ssl-filter.html">SslFilter user guide</a> page. However, if you want to get a deeper understanding on how it’s built, this is the place !</p> |
| <h2 id="components">Components</h2> |
| <p>The <strong>SslFilter</strong> is the filter that command everything related to <strong>SSL/TLS</strong>. It works hands in hands with the <strong>SSLHandler</strong> class, which handles the logic.</p> |
| <p>With <strong>NIO</strong>, Java provides a special class that handles the <strong>SSL/TLS</strong> protocol, the <strong>SSLEngine</strong> class. It’s quite a complex piece of code, and it requires some time to tame it… We will have a look into it during this tutorial.</p> |
| <h2 id="creation">Creation</h2> |
| <p>In order to inject the filter in the chain, it must first be created. This filter takes one or two parameters:</p> |
| <ul> |
| <li><strong>SSLContext</strong>: the Java class that contains all the information related to the <strong>SSL/TLS</strong> establishment</li> |
| <li><strong>autoStart</strong>: tells if the handshake should be started immediately. This is an optional parameter, defaulting to <strong>TRUE</strong>. In some cases, like when using <strong>startTLS</strong>, it’s critical to not start the handshake immediately, as it will be established on demand.</li> |
| </ul> |
| <h2 id="initialization">Initialization</h2> |
| <p>When injecting the <strong>SslFilter</strong> into your chain, either before starting your service, or while running it, it has to be initialized in some way. Actually, this is a two phases process :</p> |
| <ul> |
| <li>pre-initialization, during the filter injection</li> |
| <li>post-initialization, by starting the Handshake dialog</li> |
| </ul> |
| <p>Most of the time, both phases will be merged, as one can tell the first phase to immediately starts the second.</p> |
| <p>In any case, it’s handled by the <strong>onPreAdd</strong> and _<em>onPostAdd</em> events, which means it’s automatically processed when you push the <strong>SslFilter</strong> into the chain.</p> |
| <h3 id="onpreadd">onPreAdd</h3> |
| <p>The <strong>SslHandler</strong> class is created and initialized, and the instance is stored into the session attributes. That means each session has its own instance of <strong>SslHandler</strong>. This initialization will create a <strong>SSLEngine</strong> instance based on the provided <strong>SSLContext</strong> instance. The initialization will differ based on the ‘side’ you are on: server or client. Basically, the server side will wait for the client to initiate the handshake, while the client side will initiate it.</p> |
| <p>It’s also responsible to set the enabled ciphers and protocols, if one wants to use a restricted set, or an extended set (newer versions of Java have disabled old protocols and insecure ciphers).</p> |
| <p>Last, not least, it sets a list of status flags :</p> |
| <ul> |
| <li>writingEncryptedData: false. This flag is used during the handshake</li> |
| <li>handshakeStatus: the HandShake status, which is originally set to <strong>NOT_HANDSHAKING</strong></li> |
| <li>firstSSLNegotiation: true. This flag is used to tell the <strong>sslHandler</strong> to send or not an event to the application (MINA 2.1 only)</li> |
| <li>handshakeComplete: false. It will be set to true when teh handshake has been completed.</li> |
| </ul> |
| <p>Side note: those flags are probably spurious. Some cleanup might be done to get rid of the useless ones.</p> |
| <h2 id="onpostadd">onPostAdd</h2> |
| <p>This event will initiate an immediate handshake if required. Depending on the perr side, the action will be different.</p> |
| <ul> |
| <li>if we are on the server peer</li> |
| </ul> |
| |
|
|
|
|
|
|
| </div>
|
| <div id="endContent"></div>
|
| </div>
|
|
|
| <div id="footer">
|
| © 2003-2024, <a href="https://www.apache.org">The Apache Software Foundation</a> - <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a><br />
|
| Apache MINA, MINA, Apache Vysper, Vysper, Apache SSHd, SSHd, Apache FtpServer, FtpServer, Apache AsyncWeb, AsyncWeb,
|
| Apache, the Apache feather logo, and the Apache Mina project logos are trademarks of The Apache Software Foundation.
|
| </div>
|
|
|
| </div>
|
|
|
| </body>
|
|
|
| </html>
|