[security-dev 00238]: Re: X509KeyManager alias choice based on temporary socket

Bruno Harbulot Bruno.Harbulot at manchester.ac.uk
Thu Jul 10 02:42:44 PDT 2008

Hi Andrew,

Andrew Fan wrote:
> Bruno Harbulot wrote:
>> Hi Andrew,
>> OK, but the problem is precisely that this 
>> "socket.getLocalAddress().isAnyLocalAddress()" is always true, 
>> regardless of what the actual socket has been configured with. 
>> "socket.getLocalAddress()" always returns, because this 
>> information isn't passed from SSLServerSocketImpl to the temporary 
>> SSLSocketImpl, which is then passed to chooseServerAlias(). This 
>> workaround cannot work.
> The X509KeyManager.chooseServerAlias() may be called two ways, one is 
> just as your description, a temporary socket used via 
> SSLServerSocketImpl.checkEnabledSuites(). Once the check passed, the 
> server socket will not try to check it against the key manager anymore.
> The other way, while handshaking, the X509KeyManager.chooseServerAlias() 
> will be called with the actual socket. The stack looks like,
> X509KeyManager.chooseServerAlias()
> ServerHandshaker.setupPrivateKeyAndChain()
> trySetCipherSuite
> chooseCipherSuite
> ServerHandshaker.clientHello()
> Handshaker.processMessage()
> Please have a try with a workaround, any feedback are welcome.

I see, this works indeed when it's called during the handshake. I had 
misunderstood what you meant in your first reply by:
>>>>>> Once the SSLServerSocketImpl.checkEnabledSuites() passed, the 
>>>>>> following accepted socket will use the actual socket, the behavior 
>>>>>> is just as your expect.

Sorry about that. Thanks for your help.


More information about the security-dev mailing list