Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsWhite Papers
Discussion GroupsFirst AidDatabasesJavaBeansGUIJava 3DVirtual MachineCORBASecurityToolsGeneral
Java DirectoryOpen Source ProjectsSample Book ChaptersUser GroupsWeb Resources
Related Topics
Databases.NETMore Topics ...
Java Forum / Security / May 2004

Tip: Looking for answers? Try searching our database.

Upgrading plain Socket to TLS secured mode?

Thread view: 
Enable EMail AlertsStart New Thread
Christofer Dutz - 09 May 2004 22:42 GMT
Hi,

I am working on a small application where I have a simpl ServerSocket
waiting for incomminc connections. If during a connection a certain
keyword is received, then the connection should be TLS secured. The
procedure is quite similar to the SMTP STARTTLS command.

Is there a way to "upgrade" a Socket to a TLS secured one? Mabe by
adding a wrapper around the Input- and Output-Streams. Or can an
advanced TLS Socket accept non TLS connections ans switch to TLS mode
later on in the process?

Thanx in advance,
    Chris
Reply to this Message
Chris - 10 May 2004 02:35 GMT
> Hi,
>
[quoted text clipped - 11 lines]
> Thanx in advance,
> Chris

Hi,
See javax.net.ssl.SSLSocketFactory.createSocket(Socket, String, int,
boolean). Just drop the plain socket into this method and you'll get
a socket back that's about to perform SSL handshaking. TLS and SSL
are both implemented in the same way by Java's javax.net.ssl package
(you might have to fiddle with the factory a bit to set up all your
parameters - I'd recommend first making a pair of test programs that,
say, send a string via SSL, before incorporating SSL support into
anything bigger - it can be a little confusing to get it working).

Chris
Reply to this Message
Christofer Dutz - 10 May 2004 08:49 GMT
Thanks a lot. I'll start trying this right away ;)

Chris

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
[quoted text clipped - 33 lines]
> =0LGF
> -----END PGP SIGNATURE-----
Reply to this Message
Christofer Dutz - 10 May 2004 11:23 GMT
I just had a look at the SSLSocketFactory and the createSocket method
needs a hostname and port. Do I understand this correctly?

I want the part of the application that owns the ServerSocket to be able
 to accept the request to "upgrade" to a TLS connection. If I use the
createSocket method I actively connect to the client. Is that correct? I
want it to be the other way around. I want the client to do this step
and my server should accept it.

So, what are the hostname and port parameters used for when an existing
connection already exists?

Chris

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
[quoted text clipped - 33 lines]
> =0LGF
> -----END PGP SIGNATURE-----
Reply to this Message
Rogan Dawes - 10 May 2004 12:03 GMT
> I just had a look at the SSLSocketFactory and the createSocket method
> needs a hostname and port. Do I understand this correctly?
[quoted text clipped - 9 lines]
>
> Chris

Use socket.getInetAddress(), socket.getPort()

Here is a snippet of code that I use in an intercepting proxy. It
receives a CONNECT request, responds to acknowledge that the request
will be successful, then upgrades the connection to SSL itself, rather
than forwarding it to the upstream server. This is essentially what you
have described.

    private Socket negotiateSSL(Socket sock) throws Exception {
        KeyStore ks = null;
        KeyManagerFactory kmf = null;
        SSLContext sslcontext = null;
    // This loads the key material, and initialises the
    // SSLSocketFactory
        try {
            ks = KeyStore.getInstance("PKCS12");
            ks.load(
        this.getClass().getResourceAsStream(keystore),
        keystorepass);
            kmf = KeyManagerFactory.getInstance("SunX509");
            kmf.init(ks, keypassword);
            sslcontext = SSLContext.getInstance("SSLv3");
            sslcontext.init(kmf.getKeyManagers(), null, null);
        } catch (Exception e) {
            _logger.severe("Exception accessing keystore: " + e);
            throw e;
        }
        SSLSocketFactory factory = sslcontext.getSocketFactory();
        SSLSocket sslsock;

        try {
            sslsock=(SSLSocket)factory.createSocket(
        sock,
        sock.getInetAddress().getHostName(),
        sock.getPort(),
        true);
            sslsock.setUseClientMode(false);

            _logger.fine("Finished negotiating SSL - algorithm is " +
        sslsock.getSession().getCipherSuite());

            return sslsock;
        } catch (Exception e) {
            _logger.severe("Error layering SSL over the socket");
            throw e;
        }
    }

Hope this helps.

Rogan
Signature

Rogan Dawes

*ALL* messages to discard@dawes.za.net will be dropped, and added
to my blacklist. Please respond to "nntp AT dawes DOT za DOT net"

Reply to this Message


Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.