[security-dev 00238]: Re: X509KeyManager alias choice based on temporary socket

[Bruno Harbulot]

Hi Andrew,

Andrew Fan wrote:
> 
> Bruno Harbulot wrote:
>> Hi Andrew,
>>
>> OK, but the problem is precisely that this 
>> "socket.getLocalAddress().isAnyLocalAddress()" is always true, 
>> regardless of what the actual socket has been configured with. 
>> "socket.getLocalAddress()" always returns 0.0.0.0, because this 
>> information isn't passed from SSLServerSocketImpl to the temporary 
>> SSLSocketImpl, which is then passed to chooseServerAlias(). This 
>> workaround cannot work.
>>
> The X509KeyManager.chooseServerAlias() may be called two ways, one is 
> just as your description, a temporary socket used via 
> SSLServerSocketImpl.checkEnabledSuites(). Once the check passed, the 
> server socket will not try to check it against the key manager anymore.
> 
> The other way, while handshaking, the X509KeyManager.chooseServerAlias() 
> will be called with the actual socket. The stack looks like,
> X509KeyManager.chooseServerAlias()
> ServerHandshaker.setupPrivateKeyAndChain()
> trySetCipherSuite
> chooseCipherSuite
> ServerHandshaker.clientHello()
> Handshaker.processMessage()
> 
> Please have a try with a workaround, any feedback are welcome.


I see, this works indeed when it's called during the handshake. I had 
misunderstood what you meant in your first reply by:
>>>>>> Once the SSLServerSocketImpl.checkEnabledSuites() passed, the 
>>>>>> following accepted socket will use the actual socket, the behavior 
>>>>>> is just as your expect.

Sorry about that. Thanks for your help.

Bruno.