public class SSLCertificateSocketFactory extends SSLSocketFactory
SSLSessionCache
createSocket()
and Socket.connect(SocketAddress, int)
, after which you
must verify the identity of the server you are connected to.
Most SSLSocketFactory
implementations do not
verify the server's identity, allowing man-in-the-middle attacks.
This implementation does check the server's certificate hostname, but only
for createSocket variants that specify a hostname. When using methods that
use InetAddress
or which return an unconnected socket, you MUST
verify the server's identity yourself to ensure a secure connection.
One way to verify the server's identity is to use
HttpsURLConnection.getDefaultHostnameVerifier()
to get a
HostnameVerifier
to verify the certificate hostname.
On development devices, "setprop socket.relaxsslcheck yes" bypasses all SSL certificate and hostname checks for testing purposes. This setting requires root access.
Constructor and Description |
---|
SSLCertificateSocketFactory(int handshakeTimeoutMillis)
Deprecated.
Use
getDefault(int) instead. |
Modifier and Type | Method and Description |
---|---|
Socket |
createSocket()
Creates a new socket which is not connected to any remote host.
|
Socket |
createSocket(InetAddress addr,
int port)
Creates a socket and connects it to the specified port number
at the specified address.
|
Socket |
createSocket(InetAddress addr,
int port,
InetAddress localAddr,
int localPort)
Creates a socket and connect it to the specified remote address
on the specified remote port.
|
Socket |
createSocket(Socket k,
String host,
int port,
boolean close)
Returns a socket layered over an existing socket connected to the named
host, at the given port.
|
Socket |
createSocket(String host,
int port)
Creates a socket and connects it to the specified remote host
at the specified remote port.
|
Socket |
createSocket(String host,
int port,
InetAddress localAddr,
int localPort)
Creates a socket and connects it to the specified remote host
on the specified remote port.
|
byte[] |
getAlpnSelectedProtocol(Socket socket)
Returns the
Application
Layer Protocol Negotiation (ALPN) protocol selected by client and server, or null
if no protocol was negotiated.
|
static SocketFactory |
getDefault(int handshakeTimeoutMillis)
Returns a new socket factory instance with an optional handshake timeout.
|
static SSLSocketFactory |
getDefault(int handshakeTimeoutMillis,
SSLSessionCache cache)
Returns a new socket factory instance with an optional handshake timeout
and SSL session cache.
|
String[] |
getDefaultCipherSuites()
Returns the list of cipher suites which are enabled by default.
|
static SSLSocketFactory |
getHttpSocketFactory(int handshakeTimeoutMillis,
SSLSessionCache cache)
Deprecated.
Use
SSLSocketFactory.getDefault() along with a HttpsURLConnection
instead. The Apache HTTP client is no longer maintained and may be removed in a future
release. Please visit this webpage
for further details. |
static SSLSocketFactory |
getInsecure(int handshakeTimeoutMillis,
SSLSessionCache cache)
Returns a new instance of a socket factory with all SSL security checks
disabled, using an optional handshake timeout and SSL session cache.
|
byte[] |
getNpnSelectedProtocol(Socket socket)
Returns the Next
Protocol Negotiation (NPN) protocol selected by client and server, or
null if no protocol was negotiated.
|
String[] |
getSupportedCipherSuites()
Returns the names of the cipher suites which could be enabled for use
on an SSL connection.
|
void |
setAlpnProtocols(byte[][] protocols)
Sets the
Application Layer Protocol Negotiation (ALPN) protocols that this peer
is interested in.
|
void |
setChannelIdPrivateKey(PrivateKey privateKey)
Sets the private key to be used for TLS Channel ID by connections made by this
factory.
|
void |
setHostname(Socket socket,
String hostName)
Turns on Server
Name Indication (SNI) on a given socket.
|
void |
setKeyManagers(KeyManager[] keyManagers)
Sets the
KeyManager s to be used for connections made by this factory. |
void |
setNpnProtocols(byte[][] npnProtocols)
Sets the Next
Protocol Negotiation (NPN) protocols that this peer is interested in.
|
void |
setSoWriteTimeout(Socket socket,
int writeTimeoutMilliseconds)
Sets this socket's SO_SNDTIMEO write timeout in milliseconds.
|
void |
setTrustManagers(TrustManager[] trustManager)
Sets the
TrustManager s to be used for connections made by this factory. |
void |
setUseSessionTickets(Socket socket,
boolean useSessionTickets)
Enables session ticket
support on the given socket.
|
static void |
verifyHostname(Socket socket,
String hostname)
Verify the hostname of the certificate used by the other end of a
connected socket.
|
getDefault
setDefault
@Deprecated public SSLCertificateSocketFactory(int handshakeTimeoutMillis)
getDefault(int)
instead.public static SocketFactory getDefault(int handshakeTimeoutMillis)
handshakeTimeoutMillis
- to use for SSL connection handshake, or 0
for none. The socket timeout is reset to 0 after the handshake.public static SSLSocketFactory getDefault(int handshakeTimeoutMillis, SSLSessionCache cache)
handshakeTimeoutMillis
- to use for SSL connection handshake, or 0
for none. The socket timeout is reset to 0 after the handshake.cache
- The SSLSessionCache
to use, or null for no cache.public static SSLSocketFactory getInsecure(int handshakeTimeoutMillis, SSLSessionCache cache)
Warning: Sockets created using this factory are vulnerable to man-in-the-middle attacks!
handshakeTimeoutMillis
- to use for SSL connection handshake, or 0
for none. The socket timeout is reset to 0 after the handshake.cache
- The SSLSessionCache
to use, or null for no cache.@Deprecated public static SSLSocketFactory getHttpSocketFactory(int handshakeTimeoutMillis, SSLSessionCache cache)
SSLSocketFactory.getDefault()
along with a HttpsURLConnection
instead. The Apache HTTP client is no longer maintained and may be removed in a future
release. Please visit this webpage
for further details.handshakeTimeoutMillis
- to use for SSL connection handshake, or 0
for none. The socket timeout is reset to 0 after the handshake.cache
- The SSLSessionCache
to use, or null for no cache.public static void verifyHostname(Socket socket, String hostname) throws IOException
createSocket()
. It is harmless to call this method
redundantly if the hostname has already been verified.
Wildcard certificates are allowed to verify any matching hostname, so "foo.bar.example.com" is verified if the peer has a certificate for "*.example.com".
socket
- An SSL socket which has been connected to a serverhostname
- The expected hostname of the remote serverIOException
- if something goes wrong handshaking with the serverSSLPeerUnverifiedException
- if the server cannot prove its identitypublic void setTrustManagers(TrustManager[] trustManager)
TrustManager
s to be used for connections made by this factory.public void setNpnProtocols(byte[][] npnProtocols)
For servers this is the sequence of protocols to advertise as supported, in order of preference. This list is sent unencrypted to all clients that support NPN.
For clients this is a list of supported protocols to match against the server's list. If there is no protocol supported by both client and server then the first protocol in the client's list will be selected. The order of the client's protocols is otherwise insignificant.
npnProtocols
- a non-empty list of protocol byte arrays. All arrays
must be non-empty and of length less than 256.public void setAlpnProtocols(byte[][] protocols)
For servers this is the sequence of protocols to advertise as supported, in order of preference. This list is sent unencrypted to all clients that support ALPN.
For clients this is a list of supported protocols to match against the server's list. If there is no protocol supported by both client and server then the first protocol in the client's list will be selected. The order of the client's protocols is otherwise insignificant.
protocols
- a non-empty list of protocol byte arrays. All arrays
must be non-empty and of length less than 256.public byte[] getNpnSelectedProtocol(Socket socket)
socket
- a socket created by this factory.IllegalArgumentException
- if the socket was not created by this factory.public byte[] getAlpnSelectedProtocol(Socket socket)
socket
- a socket created by this factory.IllegalArgumentException
- if the socket was not created by this factory.public void setKeyManagers(KeyManager[] keyManagers)
KeyManager
s to be used for connections made by this factory.public void setChannelIdPrivateKey(PrivateKey privateKey)
privateKey
- private key (enables TLS Channel ID) or null
for no key (disables
TLS Channel ID). The private key has to be an Elliptic Curve (EC) key based on the
NIST P-256 curve (aka SECG secp256r1 or ANSI X9.62 prime256v1).public void setUseSessionTickets(Socket socket, boolean useSessionTickets)
socket
- a socket created by this factoryuseSessionTickets
- true
to enable session ticket support on this socket.IllegalArgumentException
- if the socket was not created by this factory.public void setHostname(Socket socket, String hostName)
socket
- a socket created by this factory.hostName
- the desired SNI hostname, null to disable.IllegalArgumentException
- if the socket was not created by this factory.public void setSoWriteTimeout(Socket socket, int writeTimeoutMilliseconds) throws SocketException
socket
- a socket created by this factory.timeout
- the desired write timeout in milliseconds.IllegalArgumentException
- if the socket was not created by this factory.SocketException
public Socket createSocket(Socket k, String host, int port, boolean close) throws IOException
This method verifies the peer's certificate hostname after connecting
(unless created with getInsecure(int, SSLSessionCache)
).
createSocket
in class SSLSocketFactory
k
- the existing sockethost
- the server hostport
- the server portclose
- close the underlying socket when this socket is closedIOException
- if an I/O error occurs when creating the socketpublic Socket createSocket() throws IOException
Socket.connect(java.net.SocketAddress)
to connect the socket.
Warning: Hostname verification is not performed with this method. You MUST verify the server's identity after connecting the socket to avoid man-in-the-middle attacks.
createSocket
in class SocketFactory
IOException
- if the socket cannot be createdSocket.connect(java.net.SocketAddress)
,
Socket.connect(java.net.SocketAddress, int)
,
Socket.Socket()
public Socket createSocket(InetAddress addr, int port, InetAddress localAddr, int localPort) throws IOException
If there is a security manager, its checkConnect
method is called with the host address and port
as its arguments. This could result in a SecurityException.
Warning: Hostname verification is not performed with this method. You MUST verify the server's identity after connecting the socket to avoid man-in-the-middle attacks.
createSocket
in class SocketFactory
addr
- the server network addressport
- the server portlocalAddr
- the client network addresslocalPort
- the client portSocket
IOException
- if an I/O error occurs when creating the socketSecurityManager.checkConnect(java.lang.String, int)
,
Socket.Socket(java.net.InetAddress, int,
java.net.InetAddress, int)
public Socket createSocket(InetAddress addr, int port) throws IOException
If there is a security manager, its checkConnect
method is called with the host address and port
as its arguments. This could result in a SecurityException.
Warning: Hostname verification is not performed with this method. You MUST verify the server's identity after connecting the socket to avoid man-in-the-middle attacks.
createSocket
in class SocketFactory
addr
- the server hostport
- the server portSocket
IOException
- if an I/O error occurs when creating the socketSecurityManager.checkConnect(java.lang.String, int)
,
Socket.Socket(java.net.InetAddress, int)
public Socket createSocket(String host, int port, InetAddress localAddr, int localPort) throws IOException
If there is a security manager, its checkConnect
method is called with the host address and port
as its arguments. This could result in a SecurityException.
This method verifies the peer's certificate hostname after connecting
(unless created with getInsecure(int, SSLSessionCache)
).
createSocket
in class SocketFactory
host
- the server host name with which to connect, or
null
for the loopback address.port
- the server portlocalAddr
- the local address the socket is bound tolocalPort
- the local port the socket is bound toSocket
IOException
- if an I/O error occurs when creating the socketUnknownHostException
- if the host is not knownSecurityManager.checkConnect(java.lang.String, int)
,
Socket.Socket(String, int, java.net.InetAddress, int)
public Socket createSocket(String host, int port) throws IOException
If there is a security manager, its checkConnect
method is called with the host address and port
as its arguments. This could result in a SecurityException.
This method verifies the peer's certificate hostname after connecting
(unless created with getInsecure(int, SSLSessionCache)
).
createSocket
in class SocketFactory
host
- the server host name with which to connect, or
null
for the loopback address.port
- the server portSocket
IOException
- if an I/O error occurs when creating the socketUnknownHostException
- if the host is not knownSecurityManager.checkConnect(java.lang.String, int)
,
Socket.Socket(String, int)
public String[] getDefaultCipherSuites()
SSLSocketFactory
getDefaultCipherSuites
in class SSLSocketFactory
SSLSocketFactory.getSupportedCipherSuites()
public String[] getSupportedCipherSuites()
SSLSocketFactory
getSupportedCipherSuites
in class SSLSocketFactory
SSLSocketFactory.getDefaultCipherSuites()