Issue2447

classification
Title: Support server-side STARTTLS for SSL
Type: Severity: normal
Components: Versions: Jython 2.7
Milestone: Jython 2.7.2
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: amak, darjus, zyasoft
Priority: Keywords:

Created on 2015-12-29.14:31:15 by zyasoft, last changed 2016-03-10.03:19:26 by zyasoft.

Messages
msg10563 (view) Author: Jim Baker (zyasoft) Date: 2015-12-29.14:31:14
Implementing server-side STARTTLS for SSL requires this setup, as specified by http://netty.io/4.0/api/io/netty/handler/ssl/SslHandler.html:

    Please note that you must insert SslHandler before sending the StartTLS response. Otherwise the client can send begin SSL handshake before SslHandler is inserted to the ChannelPipeline, causing data corruption.

The problem is that Python server-side child sockets will be wrapped too late: they will have negotiated in plain text to the client that they should handshake, but this negotiation is not visible to the ssl module. The client will then send its handshake to the server child socket, but this will go to the normal inbound handler.

Because the server child socket will not attempt to recv such data, it is possible in principle to push back, but the current SslHandler provided by Netty does not have this support. We will need to modify the SslHandler class appropriately, presumably by subclassing, to get this behavior.

Lack of server-side STARTTLS currently impacts support being able to write FTP or POP over SSL, as reflected in such failing tests as test_ftplib.
msg10807 (view) Author: Jim Baker (zyasoft) Date: 2016-03-10.03:19:26
Maybe we can work around this by forcing a renegotiate after the inbound handler is attached to the child socket:

http://netty.io/4.0/api/io/netty/handler/ssl/SslHandler.html#renegotiate()
History
Date User Action Args
2016-03-10 03:19:26zyasoftsetmessages: + msg10807
2016-02-05 17:44:45amaksetnosy: + amak
2015-12-29 14:31:15zyasoftcreate