search

akka / akka-http

The Streaming-first HTTP server/module of Akka
https://doc.akka.io/docs/akka-http
Other
1.34k stars 593 forks source link

Allow configuration of how TLS should handle possible truncation attacks #235

Open ktoso opened 8 years ago

ktoso commented 8 years ago

Issue by jrudolph Tuesday Feb 10, 2015 at 15:16 GMT Originally opened as https://github.com/akka/akka/issues/16825

spray's latest version of SslTlsSupport is very strict in its handling of truncated messages. It turns out that there are several situations in combination with HTTP where some kind of truncation is likely to happen and produces warnings regularly. For https://groups.google.com/d/topic/spray-user/8FUAZ_QAfs4/discussion I made a quick test how current browser deal with potential truncation attacks and it seems that browsers are usually much more lenient than spray.

We should review that situation with akka-streams SSL implementation and maybe provide a configuration option about how to deal with possible truncation attacks.

See spray/spray#756.

/cc @sirthias

jrudolph commented 7 years ago

Right now the client-side just ignores truncations here:

https://github.com/akka/akka-http/blob/e56661d3e759bee94e6c2b966e9a1e5b75373e7d/akka-http-core/src/main/scala/akka/http/impl/engine/client/OutgoingConnectionBlueprint.scala#L102-L102

We might want to add a paranoid mode that fails the stream if truncation occurs.