TLS/SSL extensions

[Liche]

OK, I've got something which /appears/ to do what I want it to. It's *ugly*,
so I'd be delighted with better ideas! It seems that java 1.7 has what I
need in SSLParameters.setEndpointIdentificationAlgorithm, but that's not
available to me at this stage and 1.6 doesn't have this. I've instead hacked
together something using the Sun implementation-specific code (I know...),
and some intra-pipeline stuff.

private ChannelPipeline getSSLPipeline() throws Exception { 
    ChannelPipeline pipeline = Channels.pipeline(); 

    // using the implementation, not the interface
    SSLEngineImpl engine =
(SSLEngineImpl)createSSLContext().createSSLEngine();
    engine.setUseClientMode(false); 
    engine.setNeedClientAuth(true); 

    // specify the protocol for validating the hostnames
    engine.trySetHostnameVerification("HTTPS");

    pipeline.addLast("ssl", new SslHandler(engine)); 

    ... // (add other stuff to pipeline) 

    return pipeline; 
} 

public void channelConnected(ChannelHandlerContext ctx, ChannelStateEvent e)
throws Exception {
    // access the sslHandler once we know what the client's hostname is
    SslHandler sslHandler =
(SslHandler)ctx.getPipeline().get(SslHandler.class);
    InetSocketAddress peerHost = (InetSocketAddress)e.getValue();

    // does what it says... Hack the hostname into the SslEngine
    FieldUtils.setPrivateField(sslHandler.getEngine(), "peerHost",
peerHost.getHostName());
}



Connecting from a host specified in the subjectAltName of the certificate
works, connecting from elsewhere throw a CertificateException (which I
haven't handled yet) mentioning the hostname mismatch.

I'm sure there are better ways of doing this, and I'm quite prepared for the
fact that there is something fundamentally wrong with the above - but it's
closer than I was yesterday.

--
View this message in context: http://netty-forums-and-mailing-lists.685743.n2.nabble.com/TLS-SSL-extensions-tp6524964p6529430.html
Sent from the Netty User Group mailing list archive at Nabble.com.