I'm writing an Android client for a system that requires me open an SSLSocket to a proxy server, do a tunnel handshake and then create ANOTHER SSLSocket over the tunnel. Here is my code to create the tunnel:
SSLSocketFactory sslsocketfactory = securityService.getSslContextNoCerts().getSocketFactory();
SSLSocket sslSocket = (SSLSocket) sslsocketfactory.createSocket(proxyAddress.getAddress(),
proxyAddress.getPort());
sslSocket.setEnabledProtocols(new String[] { SecurityService.TLS10 });
sslSocket.setEnabledCipherSuites(SecurityService.CIPHERS);
sslSocket.startHandshake();
Then I do tunnel handshake and then:
SSLSocketFactory sslsocketfactory = securityService.getSslContext().getSocketFactory();
hostSocket = (SSLSocket) sslsocketfactory.createSocket(tunnel,
InetAddress.getByAddress(remoteAddress.getIpAddress()).getHostAddress(),
remoteAddress.getPort(), false);
hostSocket.setUseClientMode(false);
hostSocket.setNeedClientAuth(true);
securityService.setEnabledProtocols(hostSocket);
hostSocket.setEnabledCipherSuites(SecurityService.DATASESSION_CIPHERS);
hostSocket.startHandshake();
At this point I get an SSLProtocolException with this message:
error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol (external/openssl/ssl/s23_srvr.c:589 0xad12b3f0:0x00000000)
Anybody know how I can achieve this? I know your first question would be why layer SSL over SSL, but I'm writing a client for and EXISTING system that requires it.
Any help would be much appreciated. Zhubin
Ok I finally fixed this problem. For some reason when I use org.apache.harmony.xnet.provider.jsse.OpenSSLProvider (Android default SSL provider), SSL over SSL does not work. So I switched to org.apache.harmony.xnet.provider.jsse.JSSEProvider and now everything works fine.
Your code looks correct. As it doesn't work, I suggest you have misunderstood the requirement, or it has been misrepresented to you. I suggest you only need to keep using the original SSLSocket. Try it. I find it vanishingly unlikely that any real system works in the way you have described. Not only would its performance be abysmal; the server would have to have the same kind of double-SSL coding that you have here: and how would it know when to do that and when not? Once the tunnel is created the proxy just copies bytes. I bet that just continuing to use the original SSL connection will work.