Uploaded image for project: 'Mesos'
  1. Mesos
  2. MESOS-10012

Implement SSL socket downgrading on the native Windows SSL socket.

    XMLWordPrintableJSON

    Details

    • Type: Task
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: libprocess
    • Labels:

      Description

      The logic needed to determine whether a connection is SSL or not is already established in the libevent SSL socket:

        // Based on the function 'ssl23_get_client_hello' in openssl, we
        // test whether to dispatch to the SSL or non-SSL based accept based
        // on the following rules:
        //   1. If there are fewer than 3 bytes: non-SSL.
        //   2. If the 1st bit of the 1st byte is set AND the 3rd byte is
        //          equal to SSL2_MT_CLIENT_HELLO: SSL.
        //   3. If the 1st byte is equal to SSL3_RT_HANDSHAKE AND the 2nd
        //      byte is equal to SSL3_VERSION_MAJOR and the 6th byte is
        //      equal to SSL3_MT_CLIENT_HELLO: SSL.
        //   4. Otherwise: non-SSL.
      
        // For an ascii based protocol to falsely get dispatched to SSL it
        // needs to:
        //   1. Start with an invalid ascii character (0x80).
        //   2. OR have the first 2 characters be a SYN followed by ETX, and
        //          then the 6th character be SOH.
        // These conditions clearly do not constitute valid HTTP requests,
        // and are unlikely to collide with other existing protocols.
      
        bool ssl = false; // Default to rule 4.
      
        if (size < 2) { // Rule 1.
          ssl = false;
        } else if ((data[0] & 0x80) && data[2] == SSL2_MT_CLIENT_HELLO) { // Rule 2.
          ssl = true;
        } else if (data[0] == SSL3_RT_HANDSHAKE &&
                   data[1] == SSL3_VERSION_MAJOR &&
                   data[5] == SSL3_MT_CLIENT_HELLO) { // Rule 3.
          ssl = true;
        }
      

      This only requires us to peek at the first 6 bytes of data. One possible complication is that Overlapped sockets do not support peeking.

        Attachments

          Activity

            People

            • Assignee:
              kaysoky Joseph Wu
              Reporter:
              kaysoky Joseph Wu
              Shepherd:
              Till Toenshoff
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: