java - SSLSocket ignores domain mismatch -

-

i reading ssl socket host doesn't match certificate (eg. host = "localhost"). expect exception following code happily talks remote server without problems.

try (     final socket socket = sslsocketfactory.getdefault().createsocket(host, port);     final outputstream os = socket.getoutputstream();     final inputstream = socket.getinputstream()) {      os.write(("head / http/1.1\r\nhost: " + host + "\r\nconnection: close\r\n\r\n").getbytes());     os.flush();      final byte[] bytes = new byte[1024];     int n;     while ((n = is.read(bytes)) != -1) {         system.out.print(new string(bytes, 0, n));     }     system.out.println(); } catch (final ioexception e) {     // todo auto-generated catch block     e.printstacktrace(); }

therefore i've tried approach:

try {     final httpurlconnection conn = (httpurlconnection) new url("https://" + host + ":" + port + "/").openconnection();      try (inputstream = conn.getinputstream()) {         ioutils.copy(is, system.out);     } catch (final ioexception e1) {         try (inputstream es = conn.geterrorstream()) {             if (es != null) {                 ioutils.copy(es, system.out);             }         }     } } catch (final ioexception e) {     // todo auto-generated catch block     e.printstacktrace(); }

unfortunately still no ssl exception, warn in logs: 2013-07-31 16:02:27,182 warn nio - javax.net.ssl.sslexception: received fatal alert: certificate_unknown

how ssl exception if certificate doesn't match?

the ssl/tls protocol specification modular , detached specifications used authenticate remote host. these other specifications split 2 categories: verifying certificate can trusted (rfc 3280/5280) , verifying identity in certificate (rfc 6125, or rfc 2818 https).

the jsse integrates ssl protocol , verification of certificate in sslsocket (or sslengine) api, doesn't handle verification of identifier (whch equally important).

this due fact sslsocket/sslengine can apply application protocol (e.g. http, imap, smtp, ldap, ...), rules verifying identifier in different specifications (with small variations), until rfc 6125 (which still quite recent).

httpsurlconnection handles both, because uses hostnameverifier, follows https specification (rfc 2818, section 3.1). done separately sslsocket/sslengine api. other protocols, may need implement protocol specification says.

this being said, since java 7, there mechanism verify identity of certificate directly part of sslsocket/sslengine api.

sslparameters sslparams = new sslparameters(); sslparams.setendpointidentificationalgorithm("https"); sslsocket.setsslparameters(sslparams);

using should make throw exception if host name doesn't match.

there aren't major differences between https , more uniform specifications in rfc 6125 (besides fact latter considers ip addresses out of scope). if you're not using https, still make sense use identification specifications other protocols. (perhaps "rfc 6125" endpoint identification algorithm might come in later versions of java.)


Comments

Post a Comment

Popular posts from this blog

c++ - Creating new partition disk winapi -

-
i'am trying create new partition , mount volume new, thought createfile let me this, code : lpctstr lpfilename=l"\\\\.\\device\\harddisk0\\partition3"; handle handl=createfile( lpfilename, generic_read | generic_write, file_share_read | file_share_write, null, create_always, file_attribute_normal, null ); if (handl==invalid_handle_value) { qdebug()<<"handl invalid"<<" error"<<getlasterror();} bool success = definedosdevice(ddd_raw_target_path,l"i:",l"\\device\\harddisk0\\partition3"); if(!success) qdebug()<<" definedosdevice failed "<<getlasterror(); bflag = getvolumenameforvolumemountpoint( l"i:\\", // input volume mount point or directory /** u in dir
Read more

Android Prevent Bluetooth Pairing Dialog -

-
i'm developing internal application uses bluetooth printing. want bluetooth pairing occur without user input. have managed working trapping android.bluetooth.device.action.pairing_request broadcast. in broadcast receiver call setpin method, , pairing works ok, bluetoothpairingdialog displayed second or two, disappears - see link below. https://github.com/android/platform_packages_apps_settings/blob/master/src/com/android/settings/bluetooth/bluetoothpairingdialog.java since broadcast non-ordered, can't call abortbroadcast() , , wondering if there other way prevent pairing dialog appearing. can hook window manager in way? i haven't been able come way without modifying sdk. if you're oem, it's easy (i'm on 4.3): in packages/apps/settings/androidmanifest.xml, comment intent filter pairing dialog: <activity android:name=".bluetooth.bluetoothpairingdialog" android:label="@string/bluetooth_pairing_request"
Read more

VBA function to include CDATA -

-
i have following function include cdata: function cdatasection() dim objdom domdocument dim objkmlrootelement ikmldomelement dim objkmlelement ikmldomelement dim cdata ikmldomcdatasection set objdom = new domdocument set objkmlrootelement = objdom.createelement("balloonstyle") objdom.appendchild objkmlrootelement set objkmlelement = objdom.createelement("text") objkmlrootelement.appendchild objkmlelement set cdata = objdom.createcdatasection("text") cdata.data = "<![cdata[<b>latitude = $[latitude]</b>?]]>;" end function when run above, getting error "user defined data type not found" function. yes ripster says find library reference. vba window tools>references for list of relevant references see... http://msdn.microsoft.com/en-us/library/windows/desktop/ms763701%28v=vs.85%29.aspx however, if have hard time tracking down reference, replace dim sta
Read more