private static void printConnectionInfo(SSLSocket s) {
SSLSession currentSession = s.getSession();
System.out.println("Protocol: " + currentSession.getProtocol());
System.out.println("Cipher Suite: " + currentSession.getCipherSuite());
System.out.println("Host: " + currentSession.getPeerHost());
System.out.println("Host Port: " + currentSession.getPeerPort());
}
private ProxyLdapContext(Hashtable env) throws NamingException {
final Map<String, Object> savedEnv = new HashMap<String, Object>();
for (final String key :
Arrays.asList(
Context.SECURITY_AUTHENTICATION,
Context.SECURITY_CREDENTIALS,
Context.SECURITY_PRINCIPAL,
Context.SECURITY_PROTOCOL)) {
final Object entry = env.remove(key);
if (entry != null) {
savedEnv.put(key, entry);
}
}
delegate = new InitialLdapContext(env, null);
tls = (StartTlsResponse) delegate.extendedOperation(new StartTlsRequest());
tls.setHostnameVerifier(
new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
return true;
}
});
try {
final SSLSession negotiate = tls.negotiate();
Logger.getLogger(this.getClass().getCanonicalName())
.fine("LDAP is now using " + negotiate.getProtocol());
} catch (final IOException e) {
throw new NamingException(e.getMessage());
}
for (final Map.Entry<String, Object> savedEntry : savedEnv.entrySet()) {
delegate.addToEnvironment(savedEntry.getKey(), savedEntry.getValue());
}
}
private static void printSocketInfo(SSLSocket s) {
LOGGER.info("Socket class: " + s.getClass());
LOGGER.info(" Remote address = " + s.getInetAddress().toString());
LOGGER.info(" Remote port = " + s.getPort());
LOGGER.info(" Local socket address = " + s.getLocalSocketAddress().toString());
LOGGER.info(" Local address = " + s.getLocalAddress().toString());
LOGGER.info(" Local port = " + s.getLocalPort());
LOGGER.info(" Need client authentication = " + s.getNeedClientAuth());
SSLSession ss = s.getSession();
LOGGER.info(" Cipher suite = " + ss.getCipherSuite());
LOGGER.info(" Protocol = " + ss.getProtocol());
}
@Override
public Socket createSocket(Socket plainSocket, String host, int port, boolean autoClose)
throws IOException {
String peerHost = this.conn.getRequestProperty("Host");
if (peerHost == null) peerHost = host;
Log.i(TAG, "customized createSocket. host: " + peerHost);
InetAddress address = plainSocket.getInetAddress();
if (autoClose) {
// we don't need the plainSocket
plainSocket.close();
}
// create and connect SSL socket, but don't do hostname/certificate verification yet
SSLCertificateSocketFactory sslSocketFactory =
(SSLCertificateSocketFactory) SSLCertificateSocketFactory.getDefault(0);
SSLSocket ssl = (SSLSocket) sslSocketFactory.createSocket(address, port);
// enable TLSv1.1/1.2 if available
ssl.setEnabledProtocols(ssl.getSupportedProtocols());
// set up SNI before the handshake
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.JELLY_BEAN_MR1) {
Log.i(TAG, "Setting SNI hostname");
sslSocketFactory.setHostname(ssl, peerHost);
} else {
Log.d(TAG, "No documented SNI support on Android <4.2, trying with reflection");
try {
java.lang.reflect.Method setHostnameMethod =
ssl.getClass().getMethod("setHostname", String.class);
setHostnameMethod.invoke(ssl, peerHost);
} catch (Exception e) {
Log.w(TAG, "SNI not useable", e);
}
}
// verify hostname and certificate
SSLSession session = ssl.getSession();
if (!hostnameVerifier.verify(peerHost, session))
throw new SSLPeerUnverifiedException("Cannot verify hostname: " + peerHost);
Log.i(
TAG,
"Established "
+ session.getProtocol()
+ " connection with "
+ session.getPeerHost()
+ " using "
+ session.getCipherSuite());
return ssl;
}
@Override
public void handshakeCompleted(HandshakeCompletedEvent event) {
SSLSession session = event.getSession();
String protocol = session.getProtocol();
String cipherSuite = session.getCipherSuite();
String peerName = null;
try {
peerName = session.getPeerPrincipal().getName();
Log.d(TAG, "peerName: " + peerName);
} catch (SSLPeerUnverifiedException e) {
e.printStackTrace();
}
Log.d(TAG, "session: " + session);
Log.d(TAG, "protocol: " + protocol);
Log.d(TAG, "cipherSuite: " + cipherSuite);
}
@SuppressLint("NewApi")
private Socket enableSNI(SSLSocket ssl, String host) throws SSLPeerUnverifiedException {
// enable TLSv1.1/1.2 if available
// (see https://github.com/rfc2822/davdroid/issues/229)
ssl.setEnabledProtocols(ssl.getSupportedProtocols());
// set up SNI before the handshake
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.JELLY_BEAN_MR1) {
AppLog.i(T.API, "Setting SNI hostname");
mFactory.setHostname(ssl, host);
} else {
AppLog.i(T.API, "No documented SNI support on Android <4.2, trying with reflection");
try {
java.lang.reflect.Method setHostnameMethod =
ssl.getClass().getMethod("setHostname", String.class);
setHostnameMethod.invoke(ssl, host);
} catch (Exception e) {
AppLog.e(T.API, "SNI not useable", e);
}
}
// verify hostname and certificate
SSLSession session = ssl.getSession();
if (!mHostnameVerifier.verify(host, session)) {
throw new SSLPeerUnverifiedException("Cannot verify hostname: " + host);
}
AppLog.i(
T.API,
"Established "
+ session.getProtocol()
+ " connection with "
+ session.getPeerHost()
+ " using "
+ session.getCipherSuite());
return ssl;
}
/**
* Establishes and verifies a TLS connection to a (TCP-)connected SSLSocket: - set TLS parameters
* like allowed protocols and ciphers - set SNI host name - verify host name - verify certificate
*
* @param socket unconnected SSLSocket
* @param host host name for SNI
* @throws java.io.IOException if the connection could not be established.
*/
private void establishAndVerify(SSLSocket socket, String host) throws IOException {
setTlsParameters(socket);
setSniHostname(socket, host);
// TLS handshake, throws an exception for untrusted certificates
socket.startHandshake();
// verify hostname and certificate
SSLSession session = socket.getSession();
if (!hostnameVerifier.verify(host, session)) {
// throw exception for invalid host names
throw new SSLPeerUnverifiedException(host);
}
Log.i(
TAG,
"Established "
+ session.getProtocol()
+ " connection with "
+ session.getPeerHost()
+ " using "
+ session.getCipherSuite());
}
static SSLSecurityInfoImpl create(SSLSocket socket) throws IOException {
SSLSession session = socket.getSession();
java.security.cert.Certificate[] certs = session.getPeerCertificates();
CertificateImpl ci = null;
if (certs != null && certs.length > 0 && certs[0] instanceof X509Certificate) {
// TODO: is this the right way?
ci = new CertificateImpl((X509Certificate) certs[0]);
}
// parse protocol name and version
final String protocol = session.getProtocol();
String protocolName = null;
String protocolVersion = null;
if (protocol.startsWith("TLS")) {
protocolName = "TLS";
protocolVersion = "3.1";
} else if (protocol.startsWith("SSL")) {
protocolName = "SSL";
protocolVersion = "3.0";
}
return new SSLSecurityInfoImpl(session.getCipherSuite(), protocolName, protocolVersion, ci);
}
public static void main(String args[]) throws Exception {
System.setProperty("javax.net.ssl.trustStore", "clienttrust");
SSLSocketFactory ssf = (SSLSocketFactory) SSLSocketFactory.getDefault();
Socket s = ssf.createSocket("127.0.0.1", 5432);
SSLSession session = ((SSLSocket) s).getSession();
Certificate[] cchain = session.getPeerCertificates();
System.out.println("The Certificates used by peer");
for (int i = 0; i < cchain.length; i++) {
System.out.println(((X509Certificate) cchain[i]).getSubjectDN());
}
System.out.println("Peer host is " + session.getPeerHost());
System.out.println("Cipher is " + session.getCipherSuite());
System.out.println("Protocol is " + session.getProtocol());
System.out.println("ID is " + new BigInteger(session.getId()));
System.out.println("Session created in " + session.getCreationTime());
System.out.println("Session accessed in " + session.getLastAccessedTime());
BufferedReader in = new BufferedReader(new InputStreamReader(s.getInputStream()));
String x = in.readLine();
System.out.println(x);
in.close();
}
