The interface definition of org.apache.mina.core.session.IoSession#isSecured reads:
return true if the session has started and initialized a SslEngine, false if the session is not yet secured (the handshake is not completed) or if SSL is not set for this session, or if SSL is not even an option.
The implementation of org.apache.mina.transport.socket.nio.NioSocketSession#isSecured however, already returns true when the handshake is not completed.
The provided patch fixes this, by adding an additional check to SslFilter that mimics the signature if isSecured. There's a bit of duplicated code, that might be improved upon.