Message10563

Author	zyasoft
Recipients	darjus, zyasoft
Date	2015-12-29.14:31:14
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1451399475.04.0.183713302403.issue2447@psf.upfronthosting.co.za>
In-reply-to

Content
Implementing server-side STARTTLS for SSL requires this setup, as specified by http://netty.io/4.0/api/io/netty/handler/ssl/SslHandler.html: Please note that you must insert SslHandler before sending the StartTLS response. Otherwise the client can send begin SSL handshake before SslHandler is inserted to the ChannelPipeline, causing data corruption. The problem is that Python server-side child sockets will be wrapped too late: they will have negotiated in plain text to the client that they should handshake, but this negotiation is not visible to the ssl module. The client will then send its handshake to the server child socket, but this will go to the normal inbound handler. Because the server child socket will not attempt to recv such data, it is possible in principle to push back, but the current SslHandler provided by Netty does not have this support. We will need to modify the SslHandler class appropriately, presumably by subclassing, to get this behavior. Lack of server-side STARTTLS currently impacts support being able to write FTP or POP over SSL, as reflected in such failing tests as test_ftplib.

Implementing server-side STARTTLS for SSL requires this setup, as specified by http://netty.io/4.0/api/io/netty/handler/ssl/SslHandler.html:

    Please note that you must insert SslHandler before sending the StartTLS response. Otherwise the client can send begin SSL handshake before SslHandler is inserted to the ChannelPipeline, causing data corruption.

The problem is that Python server-side child sockets will be wrapped too late: they will have negotiated in plain text to the client that they should handshake, but this negotiation is not visible to the ssl module. The client will then send its handshake to the server child socket, but this will go to the normal inbound handler.

Because the server child socket will not attempt to recv such data, it is possible in principle to push back, but the current SslHandler provided by Netty does not have this support. We will need to modify the SslHandler class appropriately, presumably by subclassing, to get this behavior.

Lack of server-side STARTTLS currently impacts support being able to write FTP or POP over SSL, as reflected in such failing tests as test_ftplib.

History
Date	User	Action	Args
2015-12-29 14:31:15	zyasoft	set	recipients: + zyasoft, darjus
2015-12-29 14:31:15	zyasoft	set	messageid: <1451399475.04.0.183713302403.issue2447@psf.upfronthosting.co.za>
2015-12-29 14:31:15	zyasoft	link	issue2447 messages
2015-12-29 14:31:14	zyasoft	create