0

This is essentially the same as my other question about DH parameters (which didn't get any answers), but I'm interested in getting information about the TLS server key exchange message(s) that are sent during the TLS handshake.

Are these messages -- or the information that comes from them like the negotiated ephemeral keys -- available at all through the Java API? I'm using Java SSLSocketFactory to obtain an SSLSocket and then connecting using that; there are no other APIs layered on top of it (like Apache http-client) that I have to break-through in order to get down to this level.

I'm just not sure if Java exposes this information at all. I tried using a HandshakeCompletedListener but that doesn't seem to provide me with any of the information I seek.

Does anyone know if/how this can be done?

Community
  • 1
  • 1
Christopher Schultz
  • 20,221
  • 9
  • 60
  • 77
  • The messages are not available through the Java API, but the resulting cipher suite is available via the SSLSession. – user207421 Sep 17 '16 at 00:12
  • @EJP I'm not having trouble finding the cipher suite -- that's easy. I'm having trouble getting the details of the *key exchange*. For example, when using DHE key exchange, I'd like to get my hands on the ephemeral key being for the connection. That is not a part of the cipher suite definition. – Christopher Schultz Sep 18 '16 at 11:16

1 Answers1

0

The Messages are not available through the API, however you can use libpcap to capture packets and then parse through the handshake data that comes through it and store it in your program.

Following the reference from here http://download.java.net/jdk7/archive/b123/docs/api/javax/net/ssl/SSLSocket.html I do not think it is possible to print the DH parameters from the API.

  • Resorting to using `libpcap` isn't really an option, but thanks for the creative suggestion. :) – Christopher Schultz Sep 18 '16 at 11:27
  • Did you try checking the Java debug options http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html –  Sep 18 '16 at 18:57
  • Yeah, I've read that, but it just dumps into to `stderr`. Reading `stderr` is a bad technique, too. I might just have to let this one go. :( – Christopher Schultz Sep 19 '16 at 20:13