-
SSLCertificateSocketFactory
-
TAG: String
-
INSECURE_TRUST_MANAGER: TrustManager[]
-
mInsecureFactory: SSLSocketFactory
-
mSecureFactory: SSLSocketFactory
-
mTrustManagers: TrustManager[]
-
mKeyManagers: KeyManager[]
-
mNpnProtocols: byte[]
-
mAlpnProtocols: byte[]
-
mChannelIdPrivateKey: PrivateKey
-
mHandshakeTimeoutMillis: int
-
mSecure: boolean
-
SSLCertificateSocketFactory(int): void
-
SSLCertificateSocketFactory(int, SSLSessionCache, boolean): void
-
getDefault(int): SocketFactory
-
getDefault(int, SSLSessionCache): SSLSocketFactory
-
getInsecure(int, SSLSessionCache): SSLSocketFactory
-
getHttpSocketFactory(int, SSLSessionCache): SSLSocketFactory
-
verifyHostname(Socket, String): void
-
makeSocketFactory(KeyManager[], TrustManager[]): SSLSocketFactory
-
isSslCheckRelaxed(): boolean
-
getDelegate(): SSLSocketFactory
-
setTrustManagers(TrustManager[]): void
-
setNpnProtocols(byte[][]): void
-
setAlpnProtocols(byte[][]): void
-
toLengthPrefixedList(byte[][]): byte[]
-
getNpnSelectedProtocol(Socket): byte[]
-
getAlpnSelectedProtocol(Socket): byte[]
-
setKeyManagers(KeyManager[]): void
-
setChannelIdPrivateKey(PrivateKey): void
-
setUseSessionTickets(Socket, boolean): void
-
setHostname(Socket, String): void
-
setSoWriteTimeout(Socket, int): void
-
createSocket(Socket, String, int, boolean): Socket
-
createSocket(): Socket
-
createSocket(InetAddress, int, InetAddress, int): Socket
-
createSocket(InetAddress, int): Socket
-
createSocket(String, int, InetAddress, int): Socket
-
createSocket(String, int): Socket
-
getDefaultCipherSuites(): String[]
-
getSupportedCipherSuites(): String[]
-
/*
* Copyright (C) 2008 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package android.net;
import android.os.SystemProperties;
import android.util.Log;
import com.android.internal.os.RoSystemProperties;
import com.android.org.conscrypt.Conscrypt;
import com.android.org.conscrypt.OpenSSLContextImpl;
import com.android.org.conscrypt.OpenSSLSocketImpl;
import com.android.org.conscrypt.SSLClientSessionCache;
import java.io.IOException;
import java.net.InetAddress;
import java.net.Socket;
import java.net.SocketException;
import java.security.KeyManagementException;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import javax.net.SocketFactory;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
SSLSocketFactory implementation with several extra features:
- Timeout specification for SSL handshake operations
- Hostname verification in most cases (see WARNINGs below)
- Optional SSL session caching with
SSLSessionCache - Optionally bypass all SSL certificate checks
The handshake timeout does not apply to actual TCP socket connection. If you want a connection timeout as well, use createSocket() and Socket.connect(SocketAddress, int), after which you must verify the identity of the server you are connected to. Most SSLSocketFactory implementations do not verify the server's identity, allowing man-in-the-middle attacks. This implementation does check the server's certificate hostname, but only for createSocket variants that specify a hostname. When using methods that use InetAddress or which return an unconnected socket, you MUST verify the server's identity yourself to ensure a secure connection. Refer to
Updating Your Security Provider to Protect Against SSL Exploits
for further information.
One way to verify the server's identity is to use HttpsURLConnection.getDefaultHostnameVerifier() to get a HostnameVerifier to verify the certificate hostname.
On development devices, "setprop socket.relaxsslcheck yes" bypasses all
SSL certificate and hostname checks for testing purposes. This setting
requires root access.
/**
* SSLSocketFactory implementation with several extra features:
*
* <ul>
* <li>Timeout specification for SSL handshake operations
* <li>Hostname verification in most cases (see WARNINGs below)
* <li>Optional SSL session caching with {@link SSLSessionCache}
* <li>Optionally bypass all SSL certificate checks
* </ul>
*
* The handshake timeout does not apply to actual TCP socket connection.
* If you want a connection timeout as well, use {@link #createSocket()}
* and {@link Socket#connect(SocketAddress, int)}, after which you
* must verify the identity of the server you are connected to.
*
* <p class="caution"><b>Most {@link SSLSocketFactory} implementations do not
* verify the server's identity, allowing man-in-the-middle attacks.</b>
* This implementation does check the server's certificate hostname, but only
* for createSocket variants that specify a hostname. When using methods that
* use {@link InetAddress} or which return an unconnected socket, you MUST
* verify the server's identity yourself to ensure a secure connection.
*
* Refer to
* <a href="https://developer.android.com/training/articles/security-gms-provider.html">
* Updating Your Security Provider to Protect Against SSL Exploits</a>
* for further information.</p>
*
* <p>One way to verify the server's identity is to use
* {@link HttpsURLConnection#getDefaultHostnameVerifier()} to get a
* {@link HostnameVerifier} to verify the certificate hostname.
*
* <p>On development devices, "setprop socket.relaxsslcheck yes" bypasses all
* SSL certificate and hostname checks for testing purposes. This setting
* requires root access.
*/
public class SSLCertificateSocketFactory extends SSLSocketFactory {
private static final String TAG = "SSLCertificateSocketFactory";
private static final TrustManager[] INSECURE_TRUST_MANAGER = new TrustManager[] {
new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() { return null; }
public void checkClientTrusted(X509Certificate[] certs, String authType) { }
public void checkServerTrusted(X509Certificate[] certs, String authType) { }
}
};
private SSLSocketFactory mInsecureFactory = null;
private SSLSocketFactory mSecureFactory = null;
private TrustManager[] mTrustManagers = null;
private KeyManager[] mKeyManagers = null;
private byte[] mNpnProtocols = null;
private byte[] mAlpnProtocols = null;
private PrivateKey mChannelIdPrivateKey = null;
private final int mHandshakeTimeoutMillis;
private final SSLClientSessionCache mSessionCache;
private final boolean mSecure;
Deprecated: Use getDefault(int) instead.
/** @deprecated Use {@link #getDefault(int)} instead. */
@Deprecated
public SSLCertificateSocketFactory(int handshakeTimeoutMillis) {
this(handshakeTimeoutMillis, null, true);
}
private SSLCertificateSocketFactory(
int handshakeTimeoutMillis, SSLSessionCache cache, boolean secure) {
mHandshakeTimeoutMillis = handshakeTimeoutMillis;
mSessionCache = cache == null ? null : cache.mSessionCache;
mSecure = secure;
}
Returns a new socket factory instance with an optional handshake timeout.
Params: - handshakeTimeoutMillis – to use for SSL connection handshake, or 0
for none. The socket timeout is reset to 0 after the handshake.
Returns: a new SSLSocketFactory with the specified parameters
/**
* Returns a new socket factory instance with an optional handshake timeout.
*
* @param handshakeTimeoutMillis to use for SSL connection handshake, or 0
* for none. The socket timeout is reset to 0 after the handshake.
* @return a new SSLSocketFactory with the specified parameters
*/
public static SocketFactory getDefault(int handshakeTimeoutMillis) {
return new SSLCertificateSocketFactory(handshakeTimeoutMillis, null, true);
}
Returns a new socket factory instance with an optional handshake timeout
and SSL session cache.
Params: - handshakeTimeoutMillis – to use for SSL connection handshake, or 0
for none. The socket timeout is reset to 0 after the handshake.
- cache – The
SSLSessionCache to use, or null for no cache.
Returns: a new SSLSocketFactory with the specified parameters
/**
* Returns a new socket factory instance with an optional handshake timeout
* and SSL session cache.
*
* @param handshakeTimeoutMillis to use for SSL connection handshake, or 0
* for none. The socket timeout is reset to 0 after the handshake.
* @param cache The {@link SSLSessionCache} to use, or null for no cache.
* @return a new SSLSocketFactory with the specified parameters
*/
public static SSLSocketFactory getDefault(int handshakeTimeoutMillis, SSLSessionCache cache) {
return new SSLCertificateSocketFactory(handshakeTimeoutMillis, cache, true);
}
Returns a new instance of a socket factory with all SSL security checks
disabled, using an optional handshake timeout and SSL session cache.
Warning: Sockets created using this factory
are vulnerable to man-in-the-middle attacks!
Params: - handshakeTimeoutMillis – to use for SSL connection handshake, or 0
for none. The socket timeout is reset to 0 after the handshake.
- cache – The
SSLSessionCache to use, or null for no cache.
Returns: an insecure SSLSocketFactory with the specified parameters
/**
* Returns a new instance of a socket factory with all SSL security checks
* disabled, using an optional handshake timeout and SSL session cache.
*
* <p class="caution"><b>Warning:</b> Sockets created using this factory
* are vulnerable to man-in-the-middle attacks!</p>
*
* @param handshakeTimeoutMillis to use for SSL connection handshake, or 0
* for none. The socket timeout is reset to 0 after the handshake.
* @param cache The {@link SSLSessionCache} to use, or null for no cache.
* @return an insecure SSLSocketFactory with the specified parameters
*/
public static SSLSocketFactory getInsecure(int handshakeTimeoutMillis, SSLSessionCache cache) {
return new SSLCertificateSocketFactory(handshakeTimeoutMillis, cache, false);
}
Returns a socket factory (also named SSLSocketFactory, but in a different
namespace) for use with the Apache HTTP stack.
Params: - handshakeTimeoutMillis – to use for SSL connection handshake, or 0
for none. The socket timeout is reset to 0 after the handshake.
- cache – The
SSLSessionCache to use, or null for no cache.
Returns: a new SocketFactory with the specified parameters Deprecated: Use SSLSocketFactory.getDefault() along with a HttpsURLConnection instead. The Apache HTTP client is no longer maintained and may be removed in a future release. Please visit this webpage
for further details. @removed
/**
* Returns a socket factory (also named SSLSocketFactory, but in a different
* namespace) for use with the Apache HTTP stack.
*
* @param handshakeTimeoutMillis to use for SSL connection handshake, or 0
* for none. The socket timeout is reset to 0 after the handshake.
* @param cache The {@link SSLSessionCache} to use, or null for no cache.
* @return a new SocketFactory with the specified parameters
*
* @deprecated Use {@link #getDefault()} along with a {@link javax.net.ssl.HttpsURLConnection}
* instead. The Apache HTTP client is no longer maintained and may be removed in a future
* release. Please visit <a href="http://android-developers.blogspot.com/2011/09/androids-http-clients.html">this webpage</a>
* for further details.
*
* @removed
*/
@Deprecated
public static org.apache.http.conn.ssl.SSLSocketFactory getHttpSocketFactory(
int handshakeTimeoutMillis, SSLSessionCache cache) {
return new org.apache.http.conn.ssl.SSLSocketFactory(
new SSLCertificateSocketFactory(handshakeTimeoutMillis, cache, true));
}
Verify the hostname of the certificate used by the other end of a connected socket. You MUST call this if you did not supply a hostname to createSocket(). It is harmless to call this method redundantly if the hostname has already been verified. Wildcard certificates are allowed to verify any matching hostname,
so "foo.bar.example.com" is verified if the peer has a certificate
for "*.example.com".
Params: - socket – An SSL socket which has been connected to a server
- hostname – The expected hostname of the remote server
Throws: - IOException – if something goes wrong handshaking with the server
- SSLPeerUnverifiedException – if the server cannot prove its identity
@hide
/**
* Verify the hostname of the certificate used by the other end of a
* connected socket. You MUST call this if you did not supply a hostname
* to {@link #createSocket()}. It is harmless to call this method
* redundantly if the hostname has already been verified.
*
* <p>Wildcard certificates are allowed to verify any matching hostname,
* so "foo.bar.example.com" is verified if the peer has a certificate
* for "*.example.com".
*
* @param socket An SSL socket which has been connected to a server
* @param hostname The expected hostname of the remote server
* @throws IOException if something goes wrong handshaking with the server
* @throws SSLPeerUnverifiedException if the server cannot prove its identity
*
* @hide
*/
public static void verifyHostname(Socket socket, String hostname) throws IOException {
if (!(socket instanceof SSLSocket)) {
throw new IllegalArgumentException("Attempt to verify non-SSL socket");
}
if (!isSslCheckRelaxed()) {
// The code at the start of OpenSSLSocketImpl.startHandshake()
// ensures that the call is idempotent, so we can safely call it.
SSLSocket ssl = (SSLSocket) socket;
ssl.startHandshake();
SSLSession session = ssl.getSession();
if (session == null) {
throw new SSLException("Cannot verify SSL socket without session");
}
if (!HttpsURLConnection.getDefaultHostnameVerifier().verify(hostname, session)) {
throw new SSLPeerUnverifiedException("Cannot verify hostname: " + hostname);
}
}
}
private SSLSocketFactory makeSocketFactory(
KeyManager[] keyManagers, TrustManager[] trustManagers) {
try {
OpenSSLContextImpl sslContext = (OpenSSLContextImpl) Conscrypt.newPreferredSSLContextSpi();
sslContext.engineInit(keyManagers, trustManagers, null);
sslContext.engineGetClientSessionContext().setPersistentCache(mSessionCache);
return sslContext.engineGetSocketFactory();
} catch (KeyManagementException e) {
Log.wtf(TAG, e);
return (SSLSocketFactory) SSLSocketFactory.getDefault(); // Fallback
}
}
private static boolean isSslCheckRelaxed() {
return RoSystemProperties.DEBUGGABLE &&
SystemProperties.getBoolean("socket.relaxsslcheck", false);
}
private synchronized SSLSocketFactory getDelegate() {
// Relax the SSL check if instructed (for this factory, or systemwide)
if (!mSecure || isSslCheckRelaxed()) {
if (mInsecureFactory == null) {
if (mSecure) {
Log.w(TAG, "*** BYPASSING SSL SECURITY CHECKS (socket.relaxsslcheck=yes) ***");
} else {
Log.w(TAG, "Bypassing SSL security checks at caller's request");
}
mInsecureFactory = makeSocketFactory(mKeyManagers, INSECURE_TRUST_MANAGER);
}
return mInsecureFactory;
} else {
if (mSecureFactory == null) {
mSecureFactory = makeSocketFactory(mKeyManagers, mTrustManagers);
}
return mSecureFactory;
}
}
Sets the TrustManagers to be used for connections made by this factory. /**
* Sets the {@link TrustManager}s to be used for connections made by this factory.
*/
public void setTrustManagers(TrustManager[] trustManager) {
mTrustManagers = trustManager;
// Clear out all cached secure factories since configurations have changed.
mSecureFactory = null;
// Note - insecure factories only ever use the INSECURE_TRUST_MANAGER so they need not
// be cleared out here.
}
Sets the Next
Protocol Negotiation (NPN) protocols that this peer is interested in.
For servers this is the sequence of protocols to advertise as
supported, in order of preference. This list is sent unencrypted to
all clients that support NPN.
For clients this is a list of supported protocols to match against the
server's list. If there is no protocol supported by both client and
server then the first protocol in the client's list will be selected.
The order of the client's protocols is otherwise insignificant.
Params: - npnProtocols – a non-empty list of protocol byte arrays. All arrays
must be non-empty and of length less than 256.
/**
* Sets the <a href="http://technotes.googlecode.com/git/nextprotoneg.html">Next
* Protocol Negotiation (NPN)</a> protocols that this peer is interested in.
*
* <p>For servers this is the sequence of protocols to advertise as
* supported, in order of preference. This list is sent unencrypted to
* all clients that support NPN.
*
* <p>For clients this is a list of supported protocols to match against the
* server's list. If there is no protocol supported by both client and
* server then the first protocol in the client's list will be selected.
* The order of the client's protocols is otherwise insignificant.
*
* @param npnProtocols a non-empty list of protocol byte arrays. All arrays
* must be non-empty and of length less than 256.
*/
public void setNpnProtocols(byte[][] npnProtocols) {
this.mNpnProtocols = toLengthPrefixedList(npnProtocols);
}
Sets the
Application Layer Protocol Negotiation (ALPN) protocols that this peer
is interested in.
For servers this is the sequence of protocols to advertise as
supported, in order of preference. This list is sent unencrypted to
all clients that support ALPN.
For clients this is a list of supported protocols to match against the
server's list. If there is no protocol supported by both client and
server then the first protocol in the client's list will be selected.
The order of the client's protocols is otherwise insignificant.
Params: - protocols – a non-empty list of protocol byte arrays. All arrays
must be non-empty and of length less than 256.
@hide
/**
* Sets the
* <a href="http://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-01">
* Application Layer Protocol Negotiation (ALPN)</a> protocols that this peer
* is interested in.
*
* <p>For servers this is the sequence of protocols to advertise as
* supported, in order of preference. This list is sent unencrypted to
* all clients that support ALPN.
*
* <p>For clients this is a list of supported protocols to match against the
* server's list. If there is no protocol supported by both client and
* server then the first protocol in the client's list will be selected.
* The order of the client's protocols is otherwise insignificant.
*
* @param protocols a non-empty list of protocol byte arrays. All arrays
* must be non-empty and of length less than 256.
* @hide
*/
public void setAlpnProtocols(byte[][] protocols) {
this.mAlpnProtocols = toLengthPrefixedList(protocols);
}
Returns an array containing the concatenation of length-prefixed byte
strings.
/**
* Returns an array containing the concatenation of length-prefixed byte
* strings.
*/
static byte[] toLengthPrefixedList(byte[]... items) {
if (items.length == 0) {
throw new IllegalArgumentException("items.length == 0");
}
int totalLength = 0;
for (byte[] s : items) {
if (s.length == 0 || s.length > 255) {
throw new IllegalArgumentException("s.length == 0 || s.length > 255: " + s.length);
}
totalLength += 1 + s.length;
}
byte[] result = new byte[totalLength];
int pos = 0;
for (byte[] s : items) {
result[pos++] = (byte) s.length;
for (byte b : s) {
result[pos++] = b;
}
}
return result;
}
Returns the Next
Protocol Negotiation (NPN) protocol selected by client and server, or
null if no protocol was negotiated.
Params: - socket – a socket created by this factory.
Throws: - IllegalArgumentException – if the socket was not created by this factory.
/**
* Returns the <a href="http://technotes.googlecode.com/git/nextprotoneg.html">Next
* Protocol Negotiation (NPN)</a> protocol selected by client and server, or
* null if no protocol was negotiated.
*
* @param socket a socket created by this factory.
* @throws IllegalArgumentException if the socket was not created by this factory.
*/
public byte[] getNpnSelectedProtocol(Socket socket) {
return castToOpenSSLSocket(socket).getNpnSelectedProtocol();
}
Returns the
Application
Layer Protocol Negotiation (ALPN) protocol selected by client and server, or null
if no protocol was negotiated.
Params: - socket – a socket created by this factory.
Throws: - IllegalArgumentException – if the socket was not created by this factory.
@hide
/**
* Returns the
* <a href="http://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-01">Application
* Layer Protocol Negotiation (ALPN)</a> protocol selected by client and server, or null
* if no protocol was negotiated.
*
* @param socket a socket created by this factory.
* @throws IllegalArgumentException if the socket was not created by this factory.
* @hide
*/
public byte[] getAlpnSelectedProtocol(Socket socket) {
return castToOpenSSLSocket(socket).getAlpnSelectedProtocol();
}
Sets the KeyManagers to be used for connections made by this factory. /**
* Sets the {@link KeyManager}s to be used for connections made by this factory.
*/
public void setKeyManagers(KeyManager[] keyManagers) {
mKeyManagers = keyManagers;
// Clear out any existing cached factories since configurations have changed.
mSecureFactory = null;
mInsecureFactory = null;
}
Sets the private key to be used for TLS Channel ID by connections made by this
factory.
Params: - privateKey – private key (enables TLS Channel ID) or
null for no key (disables TLS Channel ID). The private key has to be an Elliptic Curve (EC) key based on the NIST P-256 curve (aka SECG secp256r1 or ANSI X9.62 prime256v1).
@hide
/**
* Sets the private key to be used for TLS Channel ID by connections made by this
* factory.
*
* @param privateKey private key (enables TLS Channel ID) or {@code null} for no key (disables
* TLS Channel ID). The private key has to be an Elliptic Curve (EC) key based on the
* NIST P-256 curve (aka SECG secp256r1 or ANSI X9.62 prime256v1).
*
* @hide
*/
public void setChannelIdPrivateKey(PrivateKey privateKey) {
mChannelIdPrivateKey = privateKey;
}
Enables session ticket
support on the given socket.
Params: - socket – a socket created by this factory
- useSessionTickets –
true to enable session ticket support on this socket.
Throws: - IllegalArgumentException – if the socket was not created by this factory.
/**
* Enables <a href="http://tools.ietf.org/html/rfc5077#section-3.2">session ticket</a>
* support on the given socket.
*
* @param socket a socket created by this factory
* @param useSessionTickets {@code true} to enable session ticket support on this socket.
* @throws IllegalArgumentException if the socket was not created by this factory.
*/
public void setUseSessionTickets(Socket socket, boolean useSessionTickets) {
castToOpenSSLSocket(socket).setUseSessionTickets(useSessionTickets);
}
Turns on Server
Name Indication (SNI) on a given socket.
Params: - socket – a socket created by this factory.
- hostName – the desired SNI hostname, null to disable.
Throws: - IllegalArgumentException – if the socket was not created by this factory.
/**
* Turns on <a href="http://tools.ietf.org/html/rfc6066#section-3">Server
* Name Indication (SNI)</a> on a given socket.
*
* @param socket a socket created by this factory.
* @param hostName the desired SNI hostname, null to disable.
* @throws IllegalArgumentException if the socket was not created by this factory.
*/
public void setHostname(Socket socket, String hostName) {
castToOpenSSLSocket(socket).setHostname(hostName);
}
Sets this socket's SO_SNDTIMEO write timeout in milliseconds.
Use 0 for no timeout.
To take effect, this option must be set before the blocking method was called.
Params: - socket – a socket created by this factory.
- timeout – the desired write timeout in milliseconds.
Throws: - IllegalArgumentException – if the socket was not created by this factory.
@hide
/**
* Sets this socket's SO_SNDTIMEO write timeout in milliseconds.
* Use 0 for no timeout.
* To take effect, this option must be set before the blocking method was called.
*
* @param socket a socket created by this factory.
* @param timeout the desired write timeout in milliseconds.
* @throws IllegalArgumentException if the socket was not created by this factory.
*
* @hide
*/
public void setSoWriteTimeout(Socket socket, int writeTimeoutMilliseconds)
throws SocketException {
castToOpenSSLSocket(socket).setSoWriteTimeout(writeTimeoutMilliseconds);
}
private static OpenSSLSocketImpl castToOpenSSLSocket(Socket socket) {
if (!(socket instanceof OpenSSLSocketImpl)) {
throw new IllegalArgumentException("Socket not created by this factory: "
+ socket);
}
return (OpenSSLSocketImpl) socket;
}
{@inheritDoc}
This method verifies the peer's certificate hostname after connecting (unless created with getInsecure(int, SSLSessionCache)).
/**
* {@inheritDoc}
*
* <p>This method verifies the peer's certificate hostname after connecting
* (unless created with {@link #getInsecure(int, SSLSessionCache)}).
*/
@Override
public Socket createSocket(Socket k, String host, int port, boolean close) throws IOException {
OpenSSLSocketImpl s = (OpenSSLSocketImpl) getDelegate().createSocket(k, host, port, close);
s.setNpnProtocols(mNpnProtocols);
s.setAlpnProtocols(mAlpnProtocols);
s.setHandshakeTimeout(mHandshakeTimeoutMillis);
s.setChannelIdPrivateKey(mChannelIdPrivateKey);
if (mSecure) {
verifyHostname(s, host);
}
return s;
}
Creates a new socket which is not connected to any remote host. You must use Socket.connect to connect the socket. Warning: Hostname verification is not performed
with this method. You MUST verify the server's identity after connecting
the socket to avoid man-in-the-middle attacks.
/**
* Creates a new socket which is not connected to any remote host.
* You must use {@link Socket#connect} to connect the socket.
*
* <p class="caution"><b>Warning:</b> Hostname verification is not performed
* with this method. You MUST verify the server's identity after connecting
* the socket to avoid man-in-the-middle attacks.</p>
*/
@Override
public Socket createSocket() throws IOException {
OpenSSLSocketImpl s = (OpenSSLSocketImpl) getDelegate().createSocket();
s.setNpnProtocols(mNpnProtocols);
s.setAlpnProtocols(mAlpnProtocols);
s.setHandshakeTimeout(mHandshakeTimeoutMillis);
s.setChannelIdPrivateKey(mChannelIdPrivateKey);
return s;
}
{@inheritDoc}
Warning: Hostname verification is not performed
with this method. You MUST verify the server's identity after connecting
the socket to avoid man-in-the-middle attacks.
/**
* {@inheritDoc}
*
* <p class="caution"><b>Warning:</b> Hostname verification is not performed
* with this method. You MUST verify the server's identity after connecting
* the socket to avoid man-in-the-middle attacks.</p>
*/
@Override
public Socket createSocket(InetAddress addr, int port, InetAddress localAddr, int localPort)
throws IOException {
OpenSSLSocketImpl s = (OpenSSLSocketImpl) getDelegate().createSocket(
addr, port, localAddr, localPort);
s.setNpnProtocols(mNpnProtocols);
s.setAlpnProtocols(mAlpnProtocols);
s.setHandshakeTimeout(mHandshakeTimeoutMillis);
s.setChannelIdPrivateKey(mChannelIdPrivateKey);
return s;
}
{@inheritDoc}
Warning: Hostname verification is not performed
with this method. You MUST verify the server's identity after connecting
the socket to avoid man-in-the-middle attacks.
/**
* {@inheritDoc}
*
* <p class="caution"><b>Warning:</b> Hostname verification is not performed
* with this method. You MUST verify the server's identity after connecting
* the socket to avoid man-in-the-middle attacks.</p>
*/
@Override
public Socket createSocket(InetAddress addr, int port) throws IOException {
OpenSSLSocketImpl s = (OpenSSLSocketImpl) getDelegate().createSocket(addr, port);
s.setNpnProtocols(mNpnProtocols);
s.setAlpnProtocols(mAlpnProtocols);
s.setHandshakeTimeout(mHandshakeTimeoutMillis);
s.setChannelIdPrivateKey(mChannelIdPrivateKey);
return s;
}
{@inheritDoc}
This method verifies the peer's certificate hostname after connecting (unless created with getInsecure(int, SSLSessionCache)).
/**
* {@inheritDoc}
*
* <p>This method verifies the peer's certificate hostname after connecting
* (unless created with {@link #getInsecure(int, SSLSessionCache)}).
*/
@Override
public Socket createSocket(String host, int port, InetAddress localAddr, int localPort)
throws IOException {
OpenSSLSocketImpl s = (OpenSSLSocketImpl) getDelegate().createSocket(
host, port, localAddr, localPort);
s.setNpnProtocols(mNpnProtocols);
s.setAlpnProtocols(mAlpnProtocols);
s.setHandshakeTimeout(mHandshakeTimeoutMillis);
s.setChannelIdPrivateKey(mChannelIdPrivateKey);
if (mSecure) {
verifyHostname(s, host);
}
return s;
}
{@inheritDoc}
This method verifies the peer's certificate hostname after connecting (unless created with getInsecure(int, SSLSessionCache)).
/**
* {@inheritDoc}
*
* <p>This method verifies the peer's certificate hostname after connecting
* (unless created with {@link #getInsecure(int, SSLSessionCache)}).
*/
@Override
public Socket createSocket(String host, int port) throws IOException {
OpenSSLSocketImpl s = (OpenSSLSocketImpl) getDelegate().createSocket(host, port);
s.setNpnProtocols(mNpnProtocols);
s.setAlpnProtocols(mAlpnProtocols);
s.setHandshakeTimeout(mHandshakeTimeoutMillis);
s.setChannelIdPrivateKey(mChannelIdPrivateKey);
if (mSecure) {
verifyHostname(s, host);
}
return s;
}
@Override
public String[] getDefaultCipherSuites() {
return getDelegate().getDefaultCipherSuites();
}
@Override
public String[] getSupportedCipherSuites() {
return getDelegate().getSupportedCipherSuites();
}
}