Adding hostname verification to SSLSocket

Discussion in 'Java' started by Ian Pilcher, Mar 2, 2013.

  1. Ian Pilcher

    Ian Pilcher Guest

    I am working with a library that can use an application-provided
    SSLSocketFactory to create its SSL connections. I would like to ensure
    that all of its connections enforce hostname verification, which the
    default SSLSocket implementation does not do.

    It's tempting to simply write an SSLSocketFactory that does the hostname
    verification in its various createSocket(...) methods, but this
    obviously won't cover the case where a socket is created in an
    unconnected state with createSocket() and connected later. (It's also
    not at all clear from the documentation that connect(...) can't be
    called on a connected socket to connect it to a different server.)

    So it seems that doing this the "right" way is going to require an
    SSLSocket implementation -- something like this:

    public final class HostVerifyingSSLSocketextends SSLSocket
    {
    private final SSLSocket socket;
    private final HostnameVerifier verifier;

    public HostVerifyingSSLSocket(SSLSocket socket,
    HostnameVerifier verifier)
    throws SSLHandshakeException
    {
    this.socket = socket;
    this.verifier = verifier;
    if (socket.isConnected()) {
    verify();
    }
    }

    private void verify() throws SSLHandshakeException
    {
    SSLSession session = socket.getSession();
    if (!verifier.verify(session.getPeerHost(), session)) {
    IOException closeException = null;
    try {
    socket.close();
    } catch (IOException ioe) {
    closeException = ioe;
    }
    SSLHandshakeException she =
    new SSLHandshakeException("Bummer");
    if (closeException != null) {
    she.addSuppressed(closeException);
    }
    throw she;
    }
    }

    // Delegate all Socket and SSLSocket methods to socket ...


    The question is which of the delegated methods need a call to verify().
    I'm thinking that connect(), startHandshake(), and getSession() are the
    only methods that need this. (And getHandshakeSession() is right out.)

    public void connect(SocketAddress endpoint) throws IOException
    {
    socket.connect(endpoint);
    verify();
    }

    public void connect(SocketAddress endpoint, int timeout)
    throws IOException
    {
    socket.connect(endpoint, timeout);
    verify();
    }

    public void startHandshake() throws IOException
    {
    socket.startHandshake();
    verify();
    }

    public SSLSession getSession()
    {
    try {
    Session session = socket.getSession();
    validate();
    return session;
    } catch (SSLHandshakeException she) {
    return ERROR_SESSION; // Need to create this. Uugh.
    }
    }

    public SSLSession getHandshakeSession()
    {
    throw new UnsupportedOperationException("Sorry");
    }

    Any others? Anyone see any fundamental problem with this approach
    (other than the fact that it's a ton of mostly boilerplate code to work
    around the fact that HandshakeCompletedListener.handShakeCompleted(...)
    isn't allowed to throw a checked exception)?

    Thanks!

    --
    ========================================================================
    Ian Pilcher
    Sometimes there's nothing left to do but crash and burn...or die trying.
    ========================================================================
    Ian Pilcher, Mar 2, 2013
    #1
    1. Advertising

  2. Ian Pilcher

    Roedy Green Guest

    On Sat, 02 Mar 2013 13:02:51 -0600, Ian Pilcher <>
    wrote, quoted or indirectly quoted someone who said :

    > I would like to ensure
    >that all of its connections enforce hostname verification, which the
    >default SSLSocket implementation does not do.



    Are you sure about that? IIRC I had the opposite problem link
    checking with links with a mismatch considered bad. Mis-matches are
    extremely common, particularly for large companies with many servers.
    --
    Roedy Green Canadian Mind Products http://mindprod.com
    One thing I love about having a website, is that when I complain about
    something, I only have to do it once. It saves me endless hours of
    grumbling.
    Roedy Green, Mar 4, 2013
    #2
    1. Advertising

  3. Ian Pilcher

    Arne Vajhøj Guest

    On 3/2/2013 2:02 PM, Ian Pilcher wrote:
    > I am working with a library that can use an application-provided
    > SSLSocketFactory to create its SSL connections. I would like to ensure
    > that all of its connections enforce hostname verification, which the
    > default SSLSocket implementation does not do.
    >
    > It's tempting to simply write an SSLSocketFactory that does the hostname
    > verification in its various createSocket(...) methods, but this
    > obviously won't cover the case where a socket is created in an
    > unconnected state with createSocket() and connected later. (It's also
    > not at all clear from the documentation that connect(...) can't be
    > called on a connected socket to connect it to a different server.)
    >
    > So it seems that doing this the "right" way is going to require an
    > SSLSocket implementation -- something like this:


    > Any others? Anyone see any fundamental problem with this approach
    > (other than the fact that it's a ton of mostly boilerplate code to work
    > around the fact that HandshakeCompletedListener.handShakeCompleted(...)
    > isn't allowed to throw a checked exception)?


    If you are using SSL for HTTPS, then I think that
    HttpsURLConnection.setDefaultHostnameVerifier would be obvious. But
    I assume that is not the case.

    Arne
    Arne Vajhøj, Mar 7, 2013
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Fabien Dehopre

    adding hostname to iis 6

    Fabien Dehopre, Aug 12, 2003, in forum: ASP .Net
    Replies:
    0
    Views:
    1,249
    Fabien Dehopre
    Aug 12, 2003
  2. news
    Replies:
    1
    Views:
    1,128
    hzhao2
    Nov 20, 2003
  3. Elian Kool
    Replies:
    3
    Views:
    603
    Esmond Pitt
    Mar 11, 2005
  4. AWieminer
    Replies:
    0
    Views:
    748
    AWieminer
    Jul 12, 2005
  5. Replies:
    4
    Views:
    2,180
    shakah
    Aug 3, 2005
Loading...

Share This Page