You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@mesos.apache.org by "Joseph Wu (Jira)" <ji...@apache.org> on 2019/10/16 19:14:00 UTC

[jira] [Created] (MESOS-10012) Implement SSL socket downgrading on the native Windows SSL socket.

Joseph Wu created MESOS-10012:
---------------------------------

             Summary: Implement SSL socket downgrading on the native Windows SSL socket.
                 Key: MESOS-10012
                 URL: https://issues.apache.org/jira/browse/MESOS-10012
             Project: Mesos
          Issue Type: Task
          Components: libprocess
            Reporter: Joseph Wu
            Assignee: Joseph Wu


The logic needed to determine whether a connection is SSL or not is already established in the libevent SSL socket:
{code}
  // Based on the function 'ssl23_get_client_hello' in openssl, we
  // test whether to dispatch to the SSL or non-SSL based accept based
  // on the following rules:
  //   1. If there are fewer than 3 bytes: non-SSL.
  //   2. If the 1st bit of the 1st byte is set AND the 3rd byte is
  //          equal to SSL2_MT_CLIENT_HELLO: SSL.
  //   3. If the 1st byte is equal to SSL3_RT_HANDSHAKE AND the 2nd
  //      byte is equal to SSL3_VERSION_MAJOR and the 6th byte is
  //      equal to SSL3_MT_CLIENT_HELLO: SSL.
  //   4. Otherwise: non-SSL.

  // For an ascii based protocol to falsely get dispatched to SSL it
  // needs to:
  //   1. Start with an invalid ascii character (0x80).
  //   2. OR have the first 2 characters be a SYN followed by ETX, and
  //          then the 6th character be SOH.
  // These conditions clearly do not constitute valid HTTP requests,
  // and are unlikely to collide with other existing protocols.

  bool ssl = false; // Default to rule 4.

  if (size < 2) { // Rule 1.
    ssl = false;
  } else if ((data[0] & 0x80) && data[2] == SSL2_MT_CLIENT_HELLO) { // Rule 2.
    ssl = true;
  } else if (data[0] == SSL3_RT_HANDSHAKE &&
             data[1] == SSL3_VERSION_MAJOR &&
             data[5] == SSL3_MT_CLIENT_HELLO) { // Rule 3.
    ssl = true;
  }
{code}

This only requires us to peek at the first 6 bytes of data.  One possible complication is that Overlapped sockets do not support peeking.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)