[security-dev 00238]: Re: X509KeyManager alias choice based on temporary socket
Bruno Harbulot
Bruno.Harbulot at manchester.ac.uk
Thu Jul 10 09:42:44 UTC 2008
Hi Andrew,
Andrew Fan wrote:
>
> Bruno Harbulot wrote:
>> Hi Andrew,
>>
>> OK, but the problem is precisely that this
>> "socket.getLocalAddress().isAnyLocalAddress()" is always true,
>> regardless of what the actual socket has been configured with.
>> "socket.getLocalAddress()" always returns 0.0.0.0, because this
>> information isn't passed from SSLServerSocketImpl to the temporary
>> SSLSocketImpl, which is then passed to chooseServerAlias(). This
>> workaround cannot work.
>>
> The X509KeyManager.chooseServerAlias() may be called two ways, one is
> just as your description, a temporary socket used via
> SSLServerSocketImpl.checkEnabledSuites(). Once the check passed, the
> server socket will not try to check it against the key manager anymore.
>
> The other way, while handshaking, the X509KeyManager.chooseServerAlias()
> will be called with the actual socket. The stack looks like,
> X509KeyManager.chooseServerAlias()
> ServerHandshaker.setupPrivateKeyAndChain()
> trySetCipherSuite
> chooseCipherSuite
> ServerHandshaker.clientHello()
> Handshaker.processMessage()
>
> Please have a try with a workaround, any feedback are welcome.
I see, this works indeed when it's called during the handshake. I had
misunderstood what you meant in your first reply by:
>>>>>> Once the SSLServerSocketImpl.checkEnabledSuites() passed, the
>>>>>> following accepted socket will use the actual socket, the behavior
>>>>>> is just as your expect.
Sorry about that. Thanks for your help.
Bruno.
More information about the security-dev
mailing list