Hi
I have a specific requirement to only enable the NULL cipher suite for SSL
communications. I am using the DefaultHttpClient 4.0.3 version at the
moment.
I have set up my schemes and HTTPClient as follows. As I don’t require
anything special from the Key or Trust Managers (other than to refer to the
system properties I’ll be setting) I just use the default SSLContext.
SchemeRegistry registry = new SchemeRegistry();
SSLContext sslContext = SSLContext.getDefault();
CustomisedCipherSSLSocketFactory myFactory = new
CustomisedCipherSSLSocketFactory(sslContext);
registry.register(new Scheme("https", myFactory, 443));
registry.register(new Scheme("http",
PlainSocketFactory.getSocketFactory(), 80));
SingleClientConnManager sccm = new
SingleClientConnManager(new BasicHttpParams(), registry);
HttpClient httpclient = new DefaultHttpClient(sccm, new
BasicHttpParams());
HttpPost httpPost = new HttpPost(url);
httpResponse = httpclient.execute(httpPost);
I have extended SSLSocketFactory in my own CustomisedCipherSSLSocketFactory
to simply overwrite createSocket as follows in order to set the suites I
need:
public CustomisedCipherSSLSocketFactory(SSLContext
sslContext)
throws NoSuchAlgorithmException,
KeyManagementException, KeyStoreException, UnrecoverableKeyException {
super(sslContext);
}
public Socket createSocket() throws IOException {
SSLSocket sslSocket = (SSLSocket)
super.createSocket();
sslSocket.setEnabledCipherSuites(new
String[]{"SSL_RSA_WITH_NULL_MD5"});
System.out.println("In create socket");
return sslSocket;
}
public Socket createSocket(Socket socket, String host, int
port, boolean autoClose) throws IOException {
SSLSocket sslSocket = (SSLSocket)
super.createSocket(socket, host, port, autoClose);
sslSocket.setEnabledCipherSuites(new
String[]{"SSL_RSA_WITH_NULL_MD5"});
System.out.println("In create socket with
args: host = " + host + ", port = " + port);
return sslSocket;
}
What I am finding in the debug logs is that the initial SSL handshake which
establishes the cipher suites the client and server will use doesn’t call my
overridden createSocket. Thus, an SSLSession is established which uses a
different cipher suite. Thereafter, my createSocket IS called, but the debug
shows that the original cached SSLSession is being used. Thus, my cipher
suite is never actually used in the message exchange.
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1290269617 bytes = { 21, 218, 241, 213, 225, 171, 181,
140, 95, 246, 109, 123, 127, 148, 254, 161, 241, 74, 56, 242, 169, 246, 24,
77, 96, 195, 194, 146 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA,
SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
***
[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default
(self-tuning)', WRITE: TLSv1 Handshake, length = 75
[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default
(self-tuning)', WRITE: SSLv2 client hello message, length = 101
[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default
(self-tuning)', READ: TLSv1 Handshake, length = 58
*** ServerHello, TLSv1
RandomCookie: GMT: 1290269616 bytes = { 239, 194, 86, 114, 146, 95, 25,
160, 77, 22, 119, 192, 137, 112, 86, 182, 203, 27, 86, 72, 160, 141, 113,
62, 124, 167, 88, 70 }
Session ID: {229, 77, 223, 81, 84, 85, 11, 50, 74, 75, 51, 102, 202, 10,
72, 167}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Warning: No renegotiation indication extension in ServerHello
%% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
…
%% Cached client session: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
In create socket with args: host = localhost, port = 10002
I would have expected it to use my createSocket to create the socket for the
initial handshake … Can anyone shed any light on why it doesn’t? How can I
set my cipher suite with DefaultHttpClient?
Thanks very much, Baljeet.
--
View this message in context:
http://old.nabble.com/DefaultHttpClient-%284.0.3%29-does-not-call-my-customised-socket-factory-for-the-initial-SSL-handshake-tp31769314p31769314.html
Sent from the HttpClient-User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
