From f2bcf31dabb8f69261b0b829fc989e9ba5323ee6 Mon Sep 17 00:00:00 2001
From: neil_a_wilson <neil_a_wilson@localhost>
Date: Mon, 25 Sep 2006 23:14:21 +0000
Subject: [PATCH] Fix a problem in the StartTLS extended operation processing that could cause problems with clients due to a race condition.  Previously, the success response was sent to the client before TLS negotiation was started (because the StartTLS response must be sent in the clear), and it was possible that if a client was able to receive that response and send a subsequent TLS-protected request before the was able to begin the TLS negotiation, then the server would try to handle the client request as if it were in the clear and would not be able to decode it.  The server now prepares to perform the TLS negotiation before sending the response to the client to eliminate that race condition.

---
 opends/src/server/org/opends/server/extensions/TLSCapableConnection.java |   18 ++++++++++++++++++
 1 files changed, 18 insertions(+), 0 deletions(-)

diff --git a/opends/src/server/org/opends/server/extensions/TLSCapableConnection.java b/opends/src/server/org/opends/server/extensions/TLSCapableConnection.java
index 0869eb8..ea06a60 100644
--- a/opends/src/server/org/opends/server/extensions/TLSCapableConnection.java
+++ b/opends/src/server/org/opends/server/extensions/TLSCapableConnection.java
@@ -29,6 +29,7 @@
 
 
 import org.opends.server.core.DirectoryException;
+import org.opends.server.core.Operation;
 
 
 
@@ -86,5 +87,22 @@
    */
   public void disableTLSConnectionSecurityProvider()
          throws DirectoryException;
+
+
+
+  /**
+   * Sends a response to the client in the clear rather than through the
+   * encrypted channel.  This should only be used when processing the StartTLS
+   * extended operation to send the response in the clear after the SSL
+   * negotiation has already been initiated.
+   *
+   * @param  operation  The operation for which to send the response in the
+   *                    clear.
+   *
+   * @throws  DirectoryException  If a problem occurs while sending the response
+   *                              in the clear.
+   */
+  public void sendClearResponse(Operation operation)
+         throws DirectoryException;
 }
 

--
Gitblit v1.10.0