I'm writing an Android client for a system that requires me open an SSLSocket to a proxy server, do a tunnel handshake and then create ANOTHER SSLSocket over the tunnel. Here is my code to create the tunnel:

    SSLSocketFactory sslsocketfactory = securityService.getSslContextNoCerts().getSocketFactory();
    SSLSocket sslSocket = (SSLSocket) sslsocketfactory.createSocket(proxyAddress.getAddress(),
            proxyAddress.getPort());
    sslSocket.setEnabledProtocols(new String[] { SecurityService.TLS10 });
    sslSocket.setEnabledCipherSuites(SecurityService.CIPHERS);
    sslSocket.startHandshake();

Then I do tunnel handshake and then:

    SSLSocketFactory sslsocketfactory = securityService.getSslContext().getSocketFactory();
    hostSocket = (SSLSocket) sslsocketfactory.createSocket(tunnel,
            InetAddress.getByAddress(remoteAddress.getIpAddress()).getHostAddress(),
            remoteAddress.getPort(), false);
    hostSocket.setUseClientMode(false);
    hostSocket.setNeedClientAuth(true);
    securityService.setEnabledProtocols(hostSocket);
    hostSocket.setEnabledCipherSuites(SecurityService.DATASESSION_CIPHERS);
    hostSocket.startHandshake();

At this point I get an SSLProtocolException with this message:

error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol (external/openssl/ssl/s23_srvr.c:589 0xad12b3f0:0x00000000)

Anybody know how I can achieve this? I know your first question would be why layer SSL over SSL, but I'm writing a client for and EXISTING system that requires it.

Any help would be much appreciated. Zhubin

Ok I finally fixed this problem. For some reason when I use org.apache.harmony.xnet.provider.jsse.OpenSSLProvider (Android default SSL provider), SSL over SSL does not work. So I switched to org.apache.harmony.xnet.provider.jsse.JSSEProvider and now everything works fine.

Your code looks correct. As it doesn't work, I suggest you have misunderstood the requirement, or it has been misrepresented to you. I suggest you only need to keep using the original SSLSocket. Try it. I find it vanishingly unlikely that any real system works in the way you have described. Not only would its performance be abysmal; the server would have to have the same kind of double-SSL coding that you have here: and how would it know when to do that and when not? Once the tunnel is created the proxy just copies bytes. I bet that just continuing to use the original SSL connection will work.