Re: [jetty-users] Encryption of the HTTP protocol (e.g. not its payload)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-users] Encryption of the HTTP protocol (e.g. not its payload)

From: Karel Goderis <karel.goderis@xxxxxx>
Date: Fri, 20 Dec 2019 09:40:20 +0100
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jetty-users>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>

>> 
>> I have an embedded server that running a ServletContextHandler. The client and server first exchange a bunch of HTTP 1.1 based messages to negotiate an encryption key, which is subsequently used to encrypt the stream of data that is exchanged. That is, it is not the HTTP payload of subsequent messages that is encrypted, but the complete stream itself is encrypted.
> 
> That is exactly the description of what TLS does.
> Is there a reason why you can't use TLS from the beginning (which is
> far better scrutinized with respect to security than using a custom
> protocol)?

Unfortunately, it is not the case. In fact, it is Apple’s Home Automation Protocol, which implements all security and encryption features in an independent manner in order to maximise its independence of any underlying protocol stack. 

> 
> HttpConnection has already built-in the mechanism to upgrade.
> HttpConnection.onCompleted() is called when a HTTP/1.1
> request/response is completed.
> It then calls HttpConnection.upgrade() to see if it must upgrade the
> connection by searching the new connection as a request attribute.
> What you want to do is to write your new connection, store it as an
> attribute in the HTTP request, and Jetty will do the rest for you.
> https://github.com/eclipse/jetty.project/blob/jetty-9.4.24.v20191120/jetty-server/src/main/java/org/eclipse/jetty/server/HttpConnection.java#L374.


Just for my understanding, willl HttpSession be maintained? It is the placeholder I use to store the encryption key that goes with that given connection.  And, does that have to go trough a new connection, or is there an alternative? And reading your pointer, I suspect that it is the server that set ups that new connection to the client, not the other way around (e.g. In HAP it is the client that triggers the secured connection)? The ideal would be to have a kind of filter/handler that kicks in before HttpConnection/Channel is filled with data.

Tx
K

Follow-Ups:
- Re: [jetty-users] Encryption of the HTTP protocol (e.g. not its payload)
  - From: Simone Bordet

References:
- [jetty-users] Encryption of the HTTP protocol (e.g. not its payload)
  - From: Karel Goderis
- Re: [jetty-users] Encryption of the HTTP protocol (e.g. not its payload)
  - From: Simone Bordet

Prev by Date: Re: [jetty-users] Encryption of the HTTP protocol (e.g. not its payload)
Next by Date: Re: [jetty-users] Encryption of the HTTP protocol (e.g. not its payload)
Previous by thread: Re: [jetty-users] Encryption of the HTTP protocol (e.g. not its payload)
Next by thread: Re: [jetty-users] Encryption of the HTTP protocol (e.g. not its payload)
Index(es):
- Date
- Thread

Breadcrumbs