Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add session renegotiation to SSL/TLS #15833

Closed
bantonsson opened this issue Sep 9, 2014 · 4 comments
Closed

Add session renegotiation to SSL/TLS #15833

bantonsson opened this issue Sep 9, 2014 · 4 comments
Assignees
@rkuhn
Labels
t:http t:io:tls t:io t:stream
Milestone
streams-1.0-RC1

Comments

@bantonsson
Copy link
Member

The SSL/TLS support in #15402 doesn't support session renegotiation.
@bantonsson bantonsson added 1 - triaged Tickets that are safe to pick up for contributing in terms of likeliness of being accepted t:stream t:io labels Sep 9, 2014
@bantonsson bantonsson added this to the streams-1.0 milestone Sep 9, 2014
@bantonsson bantonsson mentioned this issue Sep 9, 2014
Closed
@sirthias
Copy link
Contributor

sirthias commented Oct 3, 2014

/cc @sirthias @jrudolph

@bblfish
Copy link

bblfish commented Dec 11, 2014

I gave a talk at Scala eXchange that explains clearly the use of client certificate renegotiation "Building the Social Web with Scala and Scala-JS"
https://skillsmatter.com/skillscasts/5960-building-a-secure-distributed-social-web-using-scala-scala-js

Any idea @bantonsson how much work it is to add this? It seems like it should be simple enough to just add client certificate renegotiation. Perhaps I can do this.

I think it would require a change the http request API to contain the name of the actor at the right layer of the TLS stack so that a message for a certificate can be sent to it.

@sirthias
Copy link
Contributor

The architecture for the implementation of the whole TCP <-> TLS <-> HTTP stack has changed significantly since spray. The whole thing is now fully stream-based and actors only come into play as an implementation detail for certain stream stages.

You might want to check out these related tickets for more thoughts/discussion around the SSL/TLS support: #16167, #15883

@rkuhn rkuhn modified the milestones: streams-1.0-M3, streams-1.x Jan 21, 2015
@drewhk drewhk added 3 - in progress Someone is working on this ticket and removed 1 - triaged Tickets that are safe to pick up for contributing in terms of likeliness of being accepted labels Jan 27, 2015
@drewhk drewhk self-assigned this Jan 27, 2015
@rkuhn
Copy link
Contributor

rkuhn commented Feb 2, 2015

Preliminary sketch of the types (based on web-based research, so comments welcome):

sealed trait SessionRead
case class SessionNegotiated(session: SSLSession, parameters: SSLParameters) extends SessionRead
case class SessionReadData(data: ByteString) extends SessionRead

sealed trait SessionWrite
case class SessionRenegotiate(parameters: SSLParameters, invalidate: Boolean) extends SessionWrite
case class SessionWriteData(data: ByteString) extends SessionWrite

def addSSL(f: Flow[ByteString, ByteString], parameters: SSLParameters): Flow[SessionWrite, SessionRead]
def addNoSSL(f: Flow[ByteString, ByteString]) = Flow[SessionWrite].collect{case SessionWriteData(d) => d}.via(f).map(SessionReadData)

The last two will eventually be represented as standalone pieces with four ports, so the method signatures only serve to document the intent.

On the HTTP side the HttpRequestParser will have to keep track of which bytes were received with which session and reject requests that are “split” between them. The HttpRequest will include a field that holds the session that was in effect when the request was received, and the entity’s stream will need to be terminated upon renegotiation. A renegotiation will then be effected by including this request in the HttpResponse; the response itself will only be sent once the new session has been established, so that follow-up requests are delivered with the new parameters in effect.

@drewhk drewhk modified the milestones: streams-1.0-M3, streams-1.0-M4 Feb 6, 2015
@jrudolph jrudolph mentioned this issue Feb 6, 2015
Closed
@rkuhn rkuhn modified the milestones: streams-1.0-M4, streams-1.0, 1.0-M5 Feb 27, 2015
@patriknw patriknw removed this from the streams-1.0-M5 milestone Mar 27, 2015
@patriknw patriknw modified the milestones: streams-1.0, streams-1.0-M5 Mar 27, 2015
rkuhn added a commit that referenced this issue Apr 20, 2015
@rkuhn
+str #15833 TLS with session renegotiation
0c51862
@rkuhn rkuhn mentioned this issue Apr 20, 2015
Merged
rkuhn added a commit that referenced this issue Apr 23, 2015
@rkuhn
+str #15833 TLS with session renegotiation
a7fe8da
rkuhn added a commit that referenced this issue Apr 23, 2015
@rkuhn
Merge pull request #17231 from akka/wip-15833-tls-renegotiation-∂π
ce9f000 
+str #15833 TLS with session renegotiation
@rkuhn rkuhn assigned rkuhn and unassigned drewhk Apr 23, 2015
@rkuhn rkuhn closed this as completed Apr 23, 2015
This was referenced May 24, 2015
Merged
Open
@ktoso ktoso removed the 3 - in progress Someone is working on this ticket label Jan 8, 2016
ktoso pushed a commit to ktoso/akka that referenced this issue Jan 11, 2016
@rkuhn @ktoso
+str akka#15833 TLS with session renegotiation
827a3b9
ktoso pushed a commit to ktoso/akka that referenced this issue Jan 11, 2016
@rkuhn
+str akka#15833 TLS with session renegotiation
616838a
ktoso pushed a commit to ktoso/akka that referenced this issue Jan 11, 2016
@rkuhn
Merge pull request akka#17231 from akka/wip-15833-tls-renegotiation-∂π
2347744 
+str akka#15833 TLS with session renegotiation
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rkuhn rkuhn

Labels
t:http t:io:tls t:io t:stream
Projects
None yet
Milestone
streams-1.0-RC1
Development

No branches or pull requests
7 participants
@ktoso @bblfish @sirthias @patriknw @rkuhn @bantonsson @drewhk