content/mina-project/technical-documentation/ssl-tls-internal.html - mina-site - Git at Google

 <!DOCTYPE html>

 <html lang="en">
 <head>
     <title>SSL/TLS internals &mdash; Apache MINA</title>

     <link href="/assets/css/common.css" rel="stylesheet" type="text/css"/>
     <link href="/assets/css/mina.css" rel="stylesheet" type="text/css"/>
 </head>
 <body>
 <script src="https://www.apachecon.com/event-images/snippet.js"></script>
 <div id="container">
     <div id="header">
     <div id="subProjectsNavBar">
         <a href="/">

                 Apache MINA Project

         </a>
         &nbsp;|&nbsp;
         <a href="/mina-project/">

                 <strong>MINA</strong>

         </a>
         &nbsp;|&nbsp;
         <a href="/asyncweb-project/">

                 AsyncWeb

         </a>
         &nbsp;|&nbsp;
         <a href="/ftpserver-project/">

                 FtpServer

         </a>
         &nbsp;|&nbsp;
         <a href="/sshd-project/">

                 SSHD

         </a>
         &nbsp;|&nbsp;
         <a href="/vysper-project/">

                 Vysper

         </a>
     </div>
 </div>


     <div id="content">
         <div id="leftColumn">
             <div id="navigation">
                 <a class="acevent" data-format="wide" data-width="170"></a>
                 <h5>Social Networks</h5>
                 <ul>
                     <li><a href="https://fosstodon.org/@apachemina">Apache MINA Mastodon</a></li>
                 </ul>
                 <h5>Latest Downloads</h5>
                 <ul>
                     <li><a href="/mina-project/downloads_2_0.html">Mina 2.0.25</a></li>
                     <li><a href="/mina-project/downloads_2_1.html">Mina 2.1.8</a></li>
                     <li><a href="/mina-project/downloads_2_2.html">Mina 2.2.3</a></li>
                     <li><a href="/mina-project/downloads_old.html">Mina old versions</a></li>
                 </ul>
                 <h5>Documentation</h5>
                 <ul>
                     <li><a href="/mina-project/documentation.html" class="external-link" rel="nofollow">Base documentation</a></li>
                     <li><a href="/mina-project/userguide/user-guide-toc.html" class="external-link" rel="nofollow">User guide</a></li>
                     <li><a href="/mina-project/2.2-vs-2.1.html" class="external-link" rel="nofollow">2.2 vs 2.1</a></li>
                     <li><a href="/mina-project/2.1-vs-2.0.html" class="external-link" rel="nofollow">2.1 vs 2.0</a></li>
                     <li><a href="/mina-project/features.html" class="external-link" rel="nofollow">Features</a></li>
                     <li><a href="/mina-project/road-map.html" class="external-link" rel="nofollow">Road Map</a></li>
                     <li><a href="/mina-project/quick-start-guide.html" class="external-link" rel="nofollow">Quick Start Guide</a></li>
                     <li><a href="/mina-project/faq.html" class="external-link" rel="nofollow">FAQ</a></li>
                 </ul>
                 <h5>Resources</h5>
                 <ul>
                     <li><a href="/mina-project/mailing-lists.html" class="external-link" rel="nofollow">Mailing lists &amp; IRC</a></li>
                     <li><a href="/mina-project/issue-tracking.html" class="external-link" rel="nofollow">Issue tracking</a></li>
                     <li><a href="/mina-project/sources.html" class="external-link" rel="nofollow">Sources</a></li>
                     <li><a href="/mina-project/gen-docs/latest-2.0/apidocs/index.html" class="external-link" rel="nofollow">API Javadoc 2.0.25</a></li>
                     <li><a href="/mina-project/gen-docs/latest-2.1/apidocs/index.html" class="external-link" rel="nofollow">API Javadoc 2.1.8</a></li>
                     <li><a href="/mina-project/gen-docs/latest-2.2/apidocs/index.html" class="external-link" rel="nofollow">API Javadoc 2.2.3</a></li>
                     <li><a href="/mina-project/gen-docs/latest-2.0/xref/index.html" class="external-link" rel="nofollow">API xref  2.0.25</a></li>
                     <li><a href="/mina-project/gen-docs/latest-2.1/xref/index.html" class="external-link" rel="nofollow">API xref 2.1.8</a></li>
                     <li><a href="/mina-project/gen-docs/latest-2.2/xref/index.html" class="external-link" rel="nofollow">API xref 2.2.3</a></li>
                     <li><a href="/mina-project/performances.html" class="external-link" rel="nofollow">Performances</a></li>
                     <li><a href="/mina-project/testimonials.html" class="external-link" rel="nofollow">Testimonials</a></li>
                     <li><a href="/mina-project/conferences.html" class="external-link" rel="nofollow">Conferences</a></li>
                     <li><a href="/mina-project/developer-guide.html" class="external-link" rel="nofollow">Developers Guide</a></li>
                     <li><a href="/mina-project/related-projects.html" class="external-link" rel="nofollow">Related Projects</a></li>
                     <li><a href="https://people.apache.org/~vgritsenko/stats/projects/mina.html" class="external-link" rel="nofollow">Statistics</a></li>
                 </ul>

                 <h5>Community</h5>
                 <ul>
                     <li><a href="https://www.apache.org/foundation/contributing.html" class="external-link" rel="nofollow">Contributing</a></li>
                     <li><a href="/contributors.html" class="external-link" rel="nofollow">Team</a></li>
                     <li><a href="/special-thanks.html" class="external-link" rel="nofollow">Special Thanks</a></li>
                     <li><a href="https://www.apache.org/security/" class="external-link" rel="nofollow">Security</a></li>
                 </ul>

                 <h5>About Apache</h5>
                 <ul>
                     <li><a href="https://www.apache.org" class="external-link" rel="nofollow">Apache main site</a></li>
                     <li><a href="https://www.apache.org/licenses/" class="external-link" rel="nofollow">License</a></li>
                     <li><a href="https://www.apache.org/foundation/sponsorship.html" title="The ASF sponsorship program" class="external-link" rel="nofollow">Sponsorship program</a></li>
                     <li><a href="https://www.apache.org/foundation/thanks.html" class="external-link" rel="nofollow">Thanks</a></li>
                 </ul>

                 <h3><a name="Navigation-Upcoming"></a>Upcoming</h3>
                 <ul>
                     <li>No event</li>
                 </ul>
             </div>
         </div>
         <div id="rightColumn">


 	<h1 id="ssltls-internals">SSL/TLS internals</h1>
 <p>This is a technical description of how SSL/TLS are handled in MINA. You don&rsquo;t need to read this to have it working, better have a look at the <a href="../userguide/ch11-ss-filter/ch11-ssl-filter.html">SslFilter user guide</a> page. However, if you want to get a deeper understanding on how it&rsquo;s built, this is the place !</p>
 <h2 id="components">Components</h2>
 <p>The <strong>SslFilter</strong> is the filter that command everything related to <strong>SSL/TLS</strong>. It works hands in hands with the <strong>SSLHandler</strong> class, which handles the logic.</p>
 <p>With <strong>NIO</strong>, Java provides a special class that handles the <strong>SSL/TLS</strong> protocol, the <strong>SSLEngine</strong> class. It&rsquo;s quite a complex piece of code, and it requires some time to tame it&hellip; We will have a look into it during this tutorial.</p>
 <h2 id="creation">Creation</h2>
 <p>In order to inject the filter in the chain, it must first be created. This filter takes one or two parameters:</p>
 <ul>
 <li><strong>SSLContext</strong>: the Java class that contains all the information related to the <strong>SSL/TLS</strong> establishment</li>
 <li><strong>autoStart</strong>: tells if the handshake should be started immediately. This is an optional parameter, defaulting to <strong>TRUE</strong>. In some cases, like when using <strong>startTLS</strong>, it&rsquo;s critical to not start the handshake immediately, as it will be established on demand.</li>
 </ul>
 <h2 id="initialization">Initialization</h2>
 <p>When injecting the <strong>SslFilter</strong> into your chain, either before starting your service, or while running it, it has to be initialized in some way. Actually, this is a two phases process :</p>
 <ul>
 <li>pre-initialization, during the filter injection</li>
 <li>post-initialization, by starting the Handshake dialog</li>
 </ul>
 <p>Most of the time, both phases will be merged, as one can tell the first phase to immediately starts the second.</p>
 <p>In any case, it&rsquo;s handled by the <strong>onPreAdd</strong> and _<em>onPostAdd</em> events, which means it&rsquo;s automatically processed when you push the <strong>SslFilter</strong> into the chain.</p>
 <h3 id="onpreadd">onPreAdd</h3>
 <p>The <strong>SslHandler</strong> class is created and initialized, and the instance is stored into the session attributes. That means each session has its own instance of <strong>SslHandler</strong>. This initialization will create a <strong>SSLEngine</strong> instance based on the provided <strong>SSLContext</strong> instance. The initialization will differ based on the &lsquo;side&rsquo; you are on: server or client. Basically, the server side will wait for the client to initiate the handshake, while the client side will initiate it.</p>
 <p>It&rsquo;s also responsible to set the enabled ciphers and protocols, if one wants to use a restricted set, or an extended set (newer versions of Java have disabled old protocols and insecure ciphers).</p>
 <p>Last, not least, it sets a list of status flags :</p>
 <ul>
 <li>writingEncryptedData: false. This flag is used during the handshake</li>
 <li>handshakeStatus: the HandShake status, which is originally set to <strong>NOT_HANDSHAKING</strong></li>
 <li>firstSSLNegotiation: true. This flag is used to tell the <strong>sslHandler</strong> to send or not an event to the application (MINA 2.1 only)</li>
 <li>handshakeComplete: false. It will be set to true when teh handshake has been completed.</li>
 </ul>
 <p>Side note: those flags are probably spurious. Some cleanup might be done to get rid of the useless ones.</p>
 <h2 id="onpostadd">onPostAdd</h2>
 <p>This event will initiate an immediate handshake if required. Depending on the perr side, the action will be different.</p>
 <ul>
 <li>if we are on the server peer</li>
 </ul>


         </div>
         <div id="endContent"></div>
     </div>

     <div id="footer">
     &copy; 2003-2024, <a href="https://www.apache.org">The Apache Software Foundation</a> - <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a><br />
     Apache MINA, MINA, Apache Vysper, Vysper, Apache SSHd, SSHd, Apache FtpServer, FtpServer, Apache AsyncWeb, AsyncWeb,
     Apache, the Apache feather logo, and the Apache Mina project logos are trademarks of The Apache Software Foundation.
 </div>

 </div>

 </body>

 </html>
	<!DOCTYPE html>

	<html lang="en">
	<head>
	<title>SSL/TLS internals — Apache MINA</title>

	<link href="/assets/css/common.css" rel="stylesheet" type="text/css"/>
	<link href="/assets/css/mina.css" rel="stylesheet" type="text/css"/>
	</head>
	<body>
	<script src="https://www.apachecon.com/event-images/snippet.js"></script>
	<div id="container">
	<div id="header">
	<div id="subProjectsNavBar">
	<a href="/">

	Apache MINA Project

	</a>
	\|
	<a href="/mina-project/">

	<strong>MINA</strong>

	</a>
	\|
	<a href="/asyncweb-project/">

	AsyncWeb

	</a>
	\|
	<a href="/ftpserver-project/">

	FtpServer

	</a>
	\|
	<a href="/sshd-project/">

	SSHD

	</a>
	\|
	<a href="/vysper-project/">

	Vysper

	</a>
	</div>
	</div>


	<div id="content">
	<div id="leftColumn">
	<div id="navigation">
	<a class="acevent" data-format="wide" data-width="170"></a>
	<h5>Social Networks</h5>
	<ul>
	<li><a href="https://fosstodon.org/@apachemina">Apache MINA Mastodon</a></li>
	</ul>
	<h5>Latest Downloads</h5>
	<ul>
	<li><a href="/mina-project/downloads_2_0.html">Mina 2.0.25</a></li>
	<li><a href="/mina-project/downloads_2_1.html">Mina 2.1.8</a></li>
	<li><a href="/mina-project/downloads_2_2.html">Mina 2.2.3</a></li>
	<li><a href="/mina-project/downloads_old.html">Mina old versions</a></li>
	</ul>
	<h5>Documentation</h5>
	<ul>
	<li><a href="/mina-project/documentation.html" class="external-link" rel="nofollow">Base documentation</a></li>
	<li><a href="/mina-project/userguide/user-guide-toc.html" class="external-link" rel="nofollow">User guide</a></li>
	<li><a href="/mina-project/2.2-vs-2.1.html" class="external-link" rel="nofollow">2.2 vs 2.1</a></li>
	<li><a href="/mina-project/2.1-vs-2.0.html" class="external-link" rel="nofollow">2.1 vs 2.0</a></li>
	<li><a href="/mina-project/features.html" class="external-link" rel="nofollow">Features</a></li>
	<li><a href="/mina-project/road-map.html" class="external-link" rel="nofollow">Road Map</a></li>
	<li><a href="/mina-project/quick-start-guide.html" class="external-link" rel="nofollow">Quick Start Guide</a></li>
	<li><a href="/mina-project/faq.html" class="external-link" rel="nofollow">FAQ</a></li>
	</ul>
	<h5>Resources</h5>
	<ul>
	<li><a href="/mina-project/mailing-lists.html" class="external-link" rel="nofollow">Mailing lists & IRC</a></li>
	<li><a href="/mina-project/issue-tracking.html" class="external-link" rel="nofollow">Issue tracking</a></li>
	<li><a href="/mina-project/sources.html" class="external-link" rel="nofollow">Sources</a></li>
	<li><a href="/mina-project/gen-docs/latest-2.0/apidocs/index.html" class="external-link" rel="nofollow">API Javadoc 2.0.25</a></li>
	<li><a href="/mina-project/gen-docs/latest-2.1/apidocs/index.html" class="external-link" rel="nofollow">API Javadoc 2.1.8</a></li>
	<li><a href="/mina-project/gen-docs/latest-2.2/apidocs/index.html" class="external-link" rel="nofollow">API Javadoc 2.2.3</a></li>
	<li><a href="/mina-project/gen-docs/latest-2.0/xref/index.html" class="external-link" rel="nofollow">API xref 2.0.25</a></li>
	<li><a href="/mina-project/gen-docs/latest-2.1/xref/index.html" class="external-link" rel="nofollow">API xref 2.1.8</a></li>
	<li><a href="/mina-project/gen-docs/latest-2.2/xref/index.html" class="external-link" rel="nofollow">API xref 2.2.3</a></li>
	<li><a href="/mina-project/performances.html" class="external-link" rel="nofollow">Performances</a></li>
	<li><a href="/mina-project/testimonials.html" class="external-link" rel="nofollow">Testimonials</a></li>
	<li><a href="/mina-project/conferences.html" class="external-link" rel="nofollow">Conferences</a></li>
	<li><a href="/mina-project/developer-guide.html" class="external-link" rel="nofollow">Developers Guide</a></li>
	<li><a href="/mina-project/related-projects.html" class="external-link" rel="nofollow">Related Projects</a></li>
	<li><a href="https://people.apache.org/~vgritsenko/stats/projects/mina.html" class="external-link" rel="nofollow">Statistics</a></li>
	</ul>

	<h5>Community</h5>
	<ul>
	<li><a href="https://www.apache.org/foundation/contributing.html" class="external-link" rel="nofollow">Contributing</a></li>
	<li><a href="/contributors.html" class="external-link" rel="nofollow">Team</a></li>
	<li><a href="/special-thanks.html" class="external-link" rel="nofollow">Special Thanks</a></li>
	<li><a href="https://www.apache.org/security/" class="external-link" rel="nofollow">Security</a></li>
	</ul>

	<h5>About Apache</h5>
	<ul>
	<li><a href="https://www.apache.org" class="external-link" rel="nofollow">Apache main site</a></li>
	<li><a href="https://www.apache.org/licenses/" class="external-link" rel="nofollow">License</a></li>
	<li><a href="https://www.apache.org/foundation/sponsorship.html" title="The ASF sponsorship program" class="external-link" rel="nofollow">Sponsorship program</a></li>
	<li><a href="https://www.apache.org/foundation/thanks.html" class="external-link" rel="nofollow">Thanks</a></li>
	</ul>

	<h3><a name="Navigation-Upcoming"></a>Upcoming</h3>
	<ul>
	<li>No event</li>
	</ul>
	</div>
	</div>
	<div id="rightColumn">



	<h1 id="ssltls-internals">SSL/TLS internals</h1>
	<p>This is a technical description of how SSL/TLS are handled in MINA. You don’t need to read this to have it working, better have a look at the <a href="../userguide/ch11-ss-filter/ch11-ssl-filter.html">SslFilter user guide</a> page. However, if you want to get a deeper understanding on how it’s built, this is the place !</p>
	<h2 id="components">Components</h2>
	<p>The <strong>SslFilter</strong> is the filter that command everything related to <strong>SSL/TLS</strong>. It works hands in hands with the <strong>SSLHandler</strong> class, which handles the logic.</p>
	<p>With <strong>NIO</strong>, Java provides a special class that handles the <strong>SSL/TLS</strong> protocol, the <strong>SSLEngine</strong> class. It’s quite a complex piece of code, and it requires some time to tame it… We will have a look into it during this tutorial.</p>
	<h2 id="creation">Creation</h2>
	<p>In order to inject the filter in the chain, it must first be created. This filter takes one or two parameters:</p>
	<ul>
	<li><strong>SSLContext</strong>: the Java class that contains all the information related to the <strong>SSL/TLS</strong> establishment</li>
	<li><strong>autoStart</strong>: tells if the handshake should be started immediately. This is an optional parameter, defaulting to <strong>TRUE</strong>. In some cases, like when using <strong>startTLS</strong>, it’s critical to not start the handshake immediately, as it will be established on demand.</li>
	</ul>
	<h2 id="initialization">Initialization</h2>
	<p>When injecting the <strong>SslFilter</strong> into your chain, either before starting your service, or while running it, it has to be initialized in some way. Actually, this is a two phases process :</p>
	<ul>
	<li>pre-initialization, during the filter injection</li>
	<li>post-initialization, by starting the Handshake dialog</li>
	</ul>
	<p>Most of the time, both phases will be merged, as one can tell the first phase to immediately starts the second.</p>
	<p>In any case, it’s handled by the <strong>onPreAdd</strong> and _<em>onPostAdd</em> events, which means it’s automatically processed when you push the <strong>SslFilter</strong> into the chain.</p>
	<h3 id="onpreadd">onPreAdd</h3>
	<p>The <strong>SslHandler</strong> class is created and initialized, and the instance is stored into the session attributes. That means each session has its own instance of <strong>SslHandler</strong>. This initialization will create a <strong>SSLEngine</strong> instance based on the provided <strong>SSLContext</strong> instance. The initialization will differ based on the ‘side’ you are on: server or client. Basically, the server side will wait for the client to initiate the handshake, while the client side will initiate it.</p>
	<p>It’s also responsible to set the enabled ciphers and protocols, if one wants to use a restricted set, or an extended set (newer versions of Java have disabled old protocols and insecure ciphers).</p>
	<p>Last, not least, it sets a list of status flags :</p>
	<ul>
	<li>writingEncryptedData: false. This flag is used during the handshake</li>
	<li>handshakeStatus: the HandShake status, which is originally set to <strong>NOT_HANDSHAKING</strong></li>
	<li>firstSSLNegotiation: true. This flag is used to tell the <strong>sslHandler</strong> to send or not an event to the application (MINA 2.1 only)</li>
	<li>handshakeComplete: false. It will be set to true when teh handshake has been completed.</li>
	</ul>
	<p>Side note: those flags are probably spurious. Some cleanup might be done to get rid of the useless ones.</p>
	<h2 id="onpostadd">onPostAdd</h2>
	<p>This event will initiate an immediate handshake if required. Depending on the perr side, the action will be different.</p>
	<ul>
	<li>if we are on the server peer</li>
	</ul>




	</div>
	<div id="endContent"></div>
	</div>

	<div id="footer">
	© 2003-2024, <a href="https://www.apache.org">The Apache Software Foundation</a> - <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a><br />
	Apache MINA, MINA, Apache Vysper, Vysper, Apache SSHd, SSHd, Apache FtpServer, FtpServer, Apache AsyncWeb, AsyncWeb,
	Apache, the Apache feather logo, and the Apache Mina project logos are trademarks of The Apache Software Foundation.
	</div>

	</div>

	</body>

	</html>