Is there any way to use SSLContext with ServerSocketChannel?

Question

I have an application which I need to use ServerSocketChannel and SocketChannel within, but SSLContext gives me ServerSocketFactory which gives ServerSocket and accepts connections in Sockets.

Any solutions? Thanks

Answer 1

The standard way of doing that is using SSLEngine. But that class is seriously hard to use. There are some tutorials around, but for a typical application, using SSLEngine should be out of the question.

I came across the same problem some time ago and ended up writing my own library. There are some examples out there and of course there is also the code inside projects like Netty, etc. But neither option is robust or easily reusable.

TLS Channel wraps an SSLEngine in a ByteBuffer and allows to use it just like normal SocketChannels.

Answer 2

The 'basic' JSSE .getSocketFactory and .getServerSocketFactory indirectly create client-side SSLSocket, or SSLServerSocket which in turn creates server-side SSLSocket, which in either case subclasses Socket (with some added methods) and manages both the SSL/TLS protocol and the network I/O in a simple waited style that is simplest for (most) applications.

To use channels, you must instead create an SSLEngine which handles only the SSL/TLS protocol and not the network (or other!) I/O. You then read and write the SocketChannel yourself, sending data the SSLEngine has 'wrapped' and giving it received data to 'unwrap'.

For an overview, see https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#SSLEngine which has partial example code -- for a client; you need to modify this by changing setUseClientMode to false and not using the peer-identity hint. (SSL/TLS client must (cache and) select saved session(s) by server identity, but server just uses the sessionid it previously assigned and the client remembered.)

Then see the javadoc (with unusually detailed introduction) for the SSLEngine class at https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLEngine.html or in your favorite JDK/IDE.

Or Java SSLEngine example has some links from people who have done examples, but I haven't looked at them myself.