4

I'm using Java's SSL library to secure the connections between my applications. And I noted that SSLServerSocket.accept() returns a socket even if the handshake fails.

  • Does that mean that SSLServerSocket.accept() won't wait until the initial handshake is done? and
  • If it does not, how can I wait for the handshake to be done and detect clients with failed handshake? Or can I simply start operating on the new SSLSocket and the handshake will be completed automatically before the actual operation?

Also, does writing to and reading from SSLSockets that are currently (re)handshaking block until the current handshake is done? And if not, is it secure to operate on handshaking sockets? Will handshake and application data be sent parallel and not affecting each other?

user207421
  • 305,947
  • 44
  • 307
  • 483
MinecraftShamrock
  • 3,504
  • 2
  • 25
  • 44

1 Answers1

5

accept() does not initiate a handshake, it merely returns the accepted socket. The handshake is initiated when you start performing I/O on the accepted socket. This is documented behavior:

http://docs.oracle.com/javase/7/docs/api/javax/net/ssl/SSLSocket.html

The initial handshake on this connection can be initiated in one of three ways:

  • calling startHandshake which explicitly begins handshakes, or
  • any attempt to read or write application data on this socket causes an implicit handshake, or
  • a call to getSession tries to set up a session if there is no currently valid session, and an implicit handshake is done.

If handshaking fails for any reason, the SSLSocket is closed, and no futher communications can be done.

...

When SSLSockets are first created, no handshaking is done so that applications may first set their communication preferences: what cipher suites to use, whether the socket should be in client or server mode, etc. However, security is always provided by the time that application data is sent over the connection.

As for handshake renegotiation, this is also documented:

http://docs.oracle.com/javase/7/docs/api/javax/net/ssl/SSLSocket.html#startHandshake()

If data has already been sent on the connection, it continues to flow during this handshake. When the handshake completes, this will be signaled with an event. This method is synchronous for the initial handshake on a connection and returns when the negotiated handshake is complete. Some protocols may not support multiple handshakes on an existing socket and may throw an IOException.

Remy Lebeau
  • 555,201
  • 31
  • 458
  • 770