Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Java and SSL

0 views
Skip to first unread message

earthwormgaz

unread,
Oct 30, 2009, 9:59:39 AM10/30/09
to
Hi,

I notice that with the URLConnection class there's a HostVerifier you
can set.

Is there anything like this for the "raw" SSL sockets you get from
SSLSocketFactory?

I can see that its possible to set up your own context and with it,
trust manager and key manager. Is there anywhere in that sort of set
up that you can use an equivalent class?

Or is it more manual than that? Do you need to do something like this
code does, and add explicit hostname checks yourself?

http://www.java2s.com/Code/JavaAPI/javax.net.ssl/SSLSocketFactorygetDefault.htm

Many thanks for any help.

Arne Vajhøj

unread,
Oct 30, 2009, 11:02:58 PM10/30/09
to

As far as I can see, then you will have to check name in certificate and
used name in your TrustManager.

Arne

EJP

unread,
Nov 12, 2009, 2:12:58 AM11/12/09
to
earthwormgaz wrote:
> I notice that with the URLConnection class there's a HostVerifier you
> can set.

No there isn't. There is a HostNameVerifier you can use in conjunction
with HttpsURLConnection (and javax.naming.ldap.StartTlsResponse).

> Is there anything like this for the "raw" SSL sockets you get from
> SSLSocketFactory?

No, because the rule about matching hostnames is an HTTPS rule, not an
SSL rule. In SSL you are expected to get the Principal from the peer
certificate and check in some application database whether that
Principal is authorised to access this part of the application.

Sorry that this is two weeks late ;-)

0 new messages