Unable to verify hostname after handshake #452
Comments
|
Hello @biaxident, as I understand your example correctly, you just need a SSLSocket to verify the hostname. Gonna possible add a getter for this in the new version. Greetings |
|
Hello, @marci4 . Thank you for so fast reply! Look forward for such feature! |
|
Hello @biaxident, Could you please check if this is sufficient for your needs? Greetings |
|
Example code for echo.websocket.org package com.example.marci4.websockettest;
import android.support.v7.app.AppCompatActivity;
import android.os.Bundle;
import android.util.Log;
import org.java_websocket.WebSocketImpl;
import org.java_websocket.client.WebSocketClient;
import org.java_websocket.handshake.ServerHandshake;
import java.net.URI;
import java.net.URISyntaxException;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
public class MainActivity extends AppCompatActivity {
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
WebSocketClient client = null;
try {
client = new WebSocketClient(new URI("wss://echo.websocket.org")) {
@Override
public void onOpen(ServerHandshake handshakedata) {
Log.i("Client", "Open");
}
@Override
public void onMessage(String message) {
Log.i("Client", "Message: " + message);
}
@Override
public void onClose(int code, String reason, boolean remote) {
Log.i("Client", "Close: " + reason + " Code: " + code + " Remote: " + remote);
}
@Override
public void onError(Exception ex) {
Log.e("Client", "Error: " + ex.getMessage());
}
};
} catch (URISyntaxException e) {
e.printStackTrace();
}
try {
//Get SSLContext
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, null, null);
client.setSocket(sslContext.getSocketFactory().createSocket());
//Connect to server
client.connectBlocking();
//Verify
HostnameVerifier hv = HttpsURLConnection.getDefaultHostnameVerifier();
SSLSocket socket = (SSLSocket) client.getSocket();
SSLSession s = socket.getSession();
if (!hv.verify("echo.websocket.org", s)) {
Log.e("Client", "Expected echo.websocket.org, found " + s.getPeerPrincipal());
throw new SSLHandshakeException("Expected echo.websocket.org, found " + s.getPeerPrincipal());
} else {
Log.i("Client", "Success");
}
} catch (SSLHandshakeException e) {
client.close();
} catch (Exception e) {
e.printStackTrace();
}
}
} |
|
Example also added to the wiki. https://github.com/TooTallNate/Java-WebSocket/wiki/Verify-hostname-after-handshake |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi! WebSocket lib is greate, but it's impossible to verify hostname after handshake for secure connection to do check as proposed here https://developer.android.com/training/articles/security-ssl.html#CommonHostnameProbs
As a result it's a lack in security and library cant be used in production code.
How this problem could be solved?
The text was updated successfully, but these errors were encountered: