You are viewing a plain text version of this content. The canonical link for it is here.
Posted to httpclient-users@hc.apache.org by bnijjhar <ba...@accenture.com> on 2011/06/04 00:40:46 UTC
DefaultHttpClient (4.0.3) does not call my customised socket
factory for the initial SSL handshake
Hi
I have a specific requirement to only enable the NULL cipher suite for SSL
communications. I am using the DefaultHttpClient 4.0.3 version at the
moment.
I have set up my schemes and HTTPClient as follows. As I don’t require
anything special from the Key or Trust Managers (other than to refer to the
system properties I’ll be setting) I just use the default SSLContext.
SchemeRegistry registry = new SchemeRegistry();
SSLContext sslContext = SSLContext.getDefault();
CustomisedCipherSSLSocketFactory myFactory = new
CustomisedCipherSSLSocketFactory(sslContext);
registry.register(new Scheme("https", myFactory, 443));
registry.register(new Scheme("http",
PlainSocketFactory.getSocketFactory(), 80));
SingleClientConnManager sccm = new
SingleClientConnManager(new BasicHttpParams(), registry);
HttpClient httpclient = new DefaultHttpClient(sccm, new
BasicHttpParams());
HttpPost httpPost = new HttpPost(url);
httpResponse = httpclient.execute(httpPost);
I have extended SSLSocketFactory in my own CustomisedCipherSSLSocketFactory
to simply overwrite createSocket as follows in order to set the suites I
need:
public CustomisedCipherSSLSocketFactory(SSLContext
sslContext)
throws NoSuchAlgorithmException,
KeyManagementException, KeyStoreException, UnrecoverableKeyException {
super(sslContext);
}
public Socket createSocket() throws IOException {
SSLSocket sslSocket = (SSLSocket)
super.createSocket();
sslSocket.setEnabledCipherSuites(new
String[]{"SSL_RSA_WITH_NULL_MD5"});
System.out.println("In create socket");
return sslSocket;
}
public Socket createSocket(Socket socket, String host, int
port, boolean autoClose) throws IOException {
SSLSocket sslSocket = (SSLSocket)
super.createSocket(socket, host, port, autoClose);
sslSocket.setEnabledCipherSuites(new
String[]{"SSL_RSA_WITH_NULL_MD5"});
System.out.println("In create socket with
args: host = " + host + ", port = " + port);
return sslSocket;
}
What I am finding in the debug logs is that the initial SSL handshake which
establishes the cipher suites the client and server will use doesn’t call my
overridden createSocket. Thus, an SSLSession is established which uses a
different cipher suite. Thereafter, my createSocket IS called, but the debug
shows that the original cached SSLSession is being used. Thus, my cipher
suite is never actually used in the message exchange.
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1290269617 bytes = { 21, 218, 241, 213, 225, 171, 181,
140, 95, 246, 109, 123, 127, 148, 254, 161, 241, 74, 56, 242, 169, 246, 24,
77, 96, 195, 194, 146 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA,
SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
***
[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default
(self-tuning)', WRITE: TLSv1 Handshake, length = 75
[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default
(self-tuning)', WRITE: SSLv2 client hello message, length = 101
[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default
(self-tuning)', READ: TLSv1 Handshake, length = 58
*** ServerHello, TLSv1
RandomCookie: GMT: 1290269616 bytes = { 239, 194, 86, 114, 146, 95, 25,
160, 77, 22, 119, 192, 137, 112, 86, 182, 203, 27, 86, 72, 160, 141, 113,
62, 124, 167, 88, 70 }
Session ID: {229, 77, 223, 81, 84, 85, 11, 50, 74, 75, 51, 102, 202, 10,
72, 167}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Warning: No renegotiation indication extension in ServerHello
%% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
…
%% Cached client session: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
In create socket with args: host = localhost, port = 10002
I would have expected it to use my createSocket to create the socket for the
initial handshake … Can anyone shed any light on why it doesn’t? How can I
set my cipher suite with DefaultHttpClient?
Thanks very much, Baljeet.
--
View this message in context: http://old.nabble.com/DefaultHttpClient-%284.0.3%29-does-not-call-my-customised-socket-factory-for-the-initial-SSL-handshake-tp31769314p31769314.html
Sent from the HttpClient-User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: DefaultHttpClient (4.0.3) does not call my customised socket
factory for the initial SSL handshake
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Fri, 2011-06-03 at 15:40 -0700, bnijjhar wrote:
> Hi
> I have a specific requirement to only enable the NULL cipher suite for SSL
> communications. I am using the DefaultHttpClient 4.0.3 version at the
> moment.
> I have set up my schemes and HTTPClient as follows. As I don’t require
> anything special from the Key or Trust Managers (other than to refer to the
> system properties I’ll be setting) I just use the default SSLContext.
>
>
> SchemeRegistry registry = new SchemeRegistry();
> SSLContext sslContext = SSLContext.getDefault();
> CustomisedCipherSSLSocketFactory myFactory = new
> CustomisedCipherSSLSocketFactory(sslContext);
> registry.register(new Scheme("https", myFactory, 443));
> registry.register(new Scheme("http",
> PlainSocketFactory.getSocketFactory(), 80));
> SingleClientConnManager sccm = new
> SingleClientConnManager(new BasicHttpParams(), registry);
> HttpClient httpclient = new DefaultHttpClient(sccm, new
> BasicHttpParams());
> HttpPost httpPost = new HttpPost(url);
> httpResponse = httpclient.execute(httpPost);
>
>
> I have extended SSLSocketFactory in my own CustomisedCipherSSLSocketFactory
> to simply overwrite createSocket as follows in order to set the suites I
> need:
>
> public CustomisedCipherSSLSocketFactory(SSLContext
> sslContext)
> throws NoSuchAlgorithmException,
> KeyManagementException, KeyStoreException, UnrecoverableKeyException {
> super(sslContext);
> }
>
> public Socket createSocket() throws IOException {
> SSLSocket sslSocket = (SSLSocket)
> super.createSocket();
> sslSocket.setEnabledCipherSuites(new
> String[]{"SSL_RSA_WITH_NULL_MD5"});
> System.out.println("In create socket");
> return sslSocket;
> }
>
> public Socket createSocket(Socket socket, String host, int
> port, boolean autoClose) throws IOException {
> SSLSocket sslSocket = (SSLSocket)
> super.createSocket(socket, host, port, autoClose);
> sslSocket.setEnabledCipherSuites(new
> String[]{"SSL_RSA_WITH_NULL_MD5"});
> System.out.println("In create socket with
> args: host = " + host + ", port = " + port);
> return sslSocket;
> }
>
>
> What I am finding in the debug logs is that the initial SSL handshake which
> establishes the cipher suites the client and server will use doesn’t call my
> overridden createSocket. Thus, an SSLSession is established which uses a
> different cipher suite. Thereafter, my createSocket IS called, but the debug
> shows that the original cached SSLSession is being used. Thus, my cipher
> suite is never actually used in the message exchange.
>
>
> %% No cached client session
> *** ClientHello, TLSv1
> RandomCookie: GMT: 1290269617 bytes = { 21, 218, 241, 213, 225, 171, 181,
> 140, 95, 246, 109, 123, 127, 148, 254, 161, 241, 74, 56, 242, 169, 246, 24,
> 77, 96, 195, 194, 146 }
> Session ID: {}
> Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
> TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
> TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
> SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
> SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA,
> SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,
> SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
> SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
> Compression Methods: { 0 }
> ***
> [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default
> (self-tuning)', WRITE: TLSv1 Handshake, length = 75
> [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default
> (self-tuning)', WRITE: SSLv2 client hello message, length = 101
> [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default
> (self-tuning)', READ: TLSv1 Handshake, length = 58
> *** ServerHello, TLSv1
> RandomCookie: GMT: 1290269616 bytes = { 239, 194, 86, 114, 146, 95, 25,
> 160, 77, 22, 119, 192, 137, 112, 86, 182, 203, 27, 86, 72, 160, 141, 113,
> 62, 124, 167, 88, 70 }
> Session ID: {229, 77, 223, 81, 84, 85, 11, 50, 74, 75, 51, 102, 202, 10,
> 72, 167}
> Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
> Warning: No renegotiation indication extension in ServerHello
> %% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
> …
> %% Cached client session: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
> In create socket with args: host = localhost, port = 10002
>
>
> I would have expected it to use my createSocket to create the socket for the
> initial handshake … Can anyone shed any light on why it doesn’t? How can I
> set my cipher suite with DefaultHttpClient?
> Thanks very much, Baljeet.
Works for me with HttpClient 4.1.1
trigger seeding of SecureRandom
done seeding SecureRandom
executing requestGET https://localhost/ HTTP/1.1
[DEBUG] SingleClientConnManager - Get connection for route
HttpRoute[{s}->https://localhost]
In create socket
[DEBUG] DefaultClientConnectionOperator - Connecting to
localhost/127.0.0.1:443
main, setSoTimeout(0) called
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1290408107 bytes = { 71, 33, 247, 80, 67, 215, 28,
97, 178, 240, 130, 183, 182, 2, 46, 221, 52, 105, 214, 53, 73, 251, 218,
19, 65, 222, 109, 109 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_NULL_MD5]
Compression Methods: { 0 }
***
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: DefaultHttpClient (4.0.3) does not call my customised socket
factory for the initial SSL handshake
Posted by bnijjhar <ba...@accenture.com>.
Hi Oleg
Many thanks for that investigation/suggestion. I upgraded to 4.1.1 and
without needing to change my code (except for the API updates) it is now
working. The difference between the 4.0.3 implementation is that this time,
it is using my custom socket factory to connect the socket (as well as
create it). In 4.0.3, as described in the original post, it only created the
socket, but did not use it to connect.
thanks, Baljeet.
--
View this message in context: http://old.nabble.com/DefaultHttpClient-%284.0.3%29-does-not-call-my-customised-socket-factory-for-the-initial-SSL-handshake-tp31769314p31792103.html
Sent from the HttpClient-User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org