Java and SSL

[earthwormgaz]

Hi,

I notice that with the URLConnection class there's a HostVerifier you
can set.

Is there anything like this for the "raw" SSL sockets you get from
SSLSocketFactory?

I can see that its possible to set up your own context and with it,
trust manager and key manager. Is there anywhere in that sort of set
up that you can use an equivalent class?

Or is it more manual than that? Do you need to do something like this
code does, and add explicit hostname checks yourself?

http://www.java2s.com/Code/JavaAPI/javax.net.ssl/SSLSocketFactorygetDefault.htm

Many thanks for any help.

 

[Arne Vajhøj]

I notice that with the URLConnection class there's a HostVerifier you
can set.

Is there anything like this for the "raw" SSL sockets you get from
SSLSocketFactory?

I can see that its possible to set up your own context and with it,
trust manager and key manager. Is there anywhere in that sort of set
up that you can use an equivalent class?

Or is it more manual than that? Do you need to do something like this
code does, and add explicit hostname checks yourself?

http://www.java2s.com/Code/JavaAPI/javax.net.ssl/SSLSocketFactorygetDefault.htm

As far as I can see, then you will have to check name in certificate and
used name in your TrustManager.

Arne

 

[EJP]

I notice that with the URLConnection class there's a HostVerifier you
can set.

No there isn't. There is a HostNameVerifier you can use in conjunction
with HttpsURLConnection (and javax.naming.ldap.StartTlsResponse).

Is there anything like this for the "raw" SSL sockets you get from
SSLSocketFactory?

No, because the rule about matching hostnames is an HTTPS rule, not an
SSL rule. In SSL you are expected to get the Principal from the peer
certificate and check in some application database whether that
Principal is authorised to access this part of the application.

Sorry that this is two weeks late ;-)