public class

SSLSocketFactory

extends Object
implements LayeredSocketFactory
java.lang.Object
   ↳ org.apache.http.conn.ssl.SSLSocketFactory

Class Overview

Layered socket factory for TLS/SSL connections, based on JSSE. .

SSLSocketFactory can be used to validate the identity of the HTTPS server against a list of trusted certificates and to authenticate to the HTTPS server using a private key.

SSLSocketFactory will enable server authentication when supplied with a truststore file containg one or several trusted certificates. The client secure socket will reject the connection during the SSL session handshake if the target HTTPS server attempts to authenticate itself with a non-trusted certificate.

Use JDK keytool utility to import a trusted certificate and generate a truststore file:

     keytool -import -alias "my server cert" -file server.crt -keystore my.truststore
    

SSLSocketFactory will enable client authentication when supplied with a keystore file containg a private key/public certificate pair. The client secure socket will use the private key to authenticate itself to the target HTTPS server during the SSL session handshake if requested to do so by the server. The target HTTPS server will in its turn verify the certificate presented by the client in order to establish client's authenticity

Use the following sequence of actions to generate a keystore file

  • Use JDK keytool utility to generate a new key

    keytool -genkey -v -alias "my client key" -validity 365 -keystore my.keystore
    For simplicity use the same password for the key as that of the keystore

  • Issue a certificate signing request (CSR)

    keytool -certreq -alias "my client key" -file mycertreq.csr -keystore my.keystore

  • Send the certificate request to the trusted Certificate Authority for signature. One may choose to act as her own CA and sign the certificate request using a PKI tool, such as OpenSSL.

  • Import the trusted CA root certificate

    keytool -import -alias "my trusted ca" -file caroot.crt -keystore my.keystore

  • Import the PKCS#7 file containg the complete certificate chain

    keytool -import -alias "my client key" -file mycert.p7 -keystore my.keystore

  • Verify the content the resultant keystore file

    keytool -list -v -keystore my.keystore

Summary

Constants
String SSL
String SSLV2
String TLS
Fields
public static final X509HostnameVerifier ALLOW_ALL_HOSTNAME_VERIFIER
public static final X509HostnameVerifier BROWSER_COMPATIBLE_HOSTNAME_VERIFIER
public static final X509HostnameVerifier STRICT_HOSTNAME_VERIFIER
Public Constructors
SSLSocketFactory(String algorithm, KeyStore keystore, String keystorePassword, KeyStore truststore, SecureRandom random, HostNameResolver nameResolver)
SSLSocketFactory(KeyStore keystore, String keystorePassword, KeyStore truststore)
SSLSocketFactory(KeyStore keystore, String keystorePassword)
SSLSocketFactory(KeyStore truststore)
Public Methods
Socket connectSocket(Socket sock, String host, int port, InetAddress localAddress, int localPort, HttpParams params)
Connects a socket to the given host.
Socket createSocket(Socket socket, String host, int port, boolean autoClose)
Returns a socket connected to the given host that is layered over an existing socket.
Socket createSocket()
Creates a new, unconnected socket.
X509HostnameVerifier getHostnameVerifier()
static SSLSocketFactory getSocketFactory()
Gets an singleton instance of the SSLProtocolSocketFactory.
boolean isSecure(Socket sock)
Checks whether a socket connection is secure.
void setHostnameVerifier(X509HostnameVerifier hostnameVerifier)
[Expand]
Inherited Methods
From class java.lang.Object
From interface org.apache.http.conn.scheme.LayeredSocketFactory
From interface org.apache.http.conn.scheme.SocketFactory

Constants

public static final String SSL

Since: API Level 1

Constant Value: "SSL"

public static final String SSLV2

Since: API Level 1

Constant Value: "SSLv2"

public static final String TLS

Since: API Level 1

Constant Value: "TLS"

Fields

public static final X509HostnameVerifier ALLOW_ALL_HOSTNAME_VERIFIER

Since: API Level 1

public static final X509HostnameVerifier BROWSER_COMPATIBLE_HOSTNAME_VERIFIER

Since: API Level 1

public static final X509HostnameVerifier STRICT_HOSTNAME_VERIFIER

Since: API Level 1

Public Constructors

public SSLSocketFactory (String algorithm, KeyStore keystore, String keystorePassword, KeyStore truststore, SecureRandom random, HostNameResolver nameResolver)

Since: API Level 1

public SSLSocketFactory (KeyStore keystore, String keystorePassword, KeyStore truststore)

Since: API Level 1

Public Methods

public Socket connectSocket (Socket sock, String host, int port, InetAddress localAddress, int localPort, HttpParams params)

Since: API Level 1

Connects a socket to the given host.

Parameters
sock the socket to connect, as obtained from createSocket. null indicates that a new socket should be created and connected.
host the host to connect to
port the port to connect to on the host
localAddress the local address to bind the socket to, or null for any
localPort the port on the local machine, 0 or a negative number for any
params additional parameters for connecting
Returns
  • the connected socket. The returned object may be different from the sock argument if this factory supports a layered protocol.
Throws
IOException

public Socket createSocket (Socket socket, String host, int port, boolean autoClose)

Since: API Level 1

Returns a socket connected to the given host that is layered over an existing socket. Used primarily for creating secure sockets through proxies.

Parameters
socket the existing socket
host the host name/IP
port the port on the host
autoClose a flag for closing the underling socket when the created socket is closed
Returns
  • Socket a new socket

public Socket createSocket ()

Since: API Level 1

Creates a new, unconnected socket. The socket should subsequently be passed to connectSocket.

Returns
  • a new socket
Throws
IOException

public X509HostnameVerifier getHostnameVerifier ()

Since: API Level 1

public static SSLSocketFactory getSocketFactory ()

Since: API Level 1

Gets an singleton instance of the SSLProtocolSocketFactory.

Returns
  • a SSLProtocolSocketFactory

public boolean isSecure (Socket sock)

Since: API Level 1

Checks whether a socket connection is secure. This factory creates TLS/SSL socket connections which, by default, are considered secure.
Derived classes may override this method to perform runtime checks, for example based on the cypher suite.

Parameters
sock the connected socket
Returns
  • true
Throws
IllegalArgumentException if the argument is invalid

public void setHostnameVerifier (X509HostnameVerifier hostnameVerifier)

Since: API Level 1