3

I am looking at classes of the package java.nio.channels but only finding plain socket implementations. I can use the SSLEngine to encrypt and decrypt traffic, but that would be quite a bit of handling. Anybody knows of a proper implementation/extension of SocketChannel that handles crypto internally?

user207421
  • 305,947
  • 44
  • 307
  • 483
Arteri Xhafur
  • 39
  • 1
  • 2

3 Answers3

1

The most simple implementation that I've see was alkarn SSL Engine Example. This is probably what you're looking for. This is an actual implementation of SSLEngine and only has 3 classes in total. You can just copy that and run.

I'll paste some of his doc page here for convenience:

Server: 

NioSslServer server = new NioSslServer("TLSv1.2", "localhost", 9222);
server.start();

Client

NioSslClient client = new NioSslClient("TLSv1.2", "localhost", 9222);
client.connect();

You may wonder why there isn't something like this just built in. Well, I'm not super familiar with this specific area, but I know that the following is in the JSSE Reference Guide:

Newcomers to the API may wonder "Why not just have an SSLSocketChannel which extends java.nio.channels.SocketChannel?" There are two main reasons:

  • There were a lot of very difficult questions about what a SSLSocketChannel should be, including its class hierarchy and how it should interoperate with Selectors and other types of SocketChannels. Each proposal brought up more questions than answers. It was noted that any new API abstraction extended to work with SSL/TLS would require the same significant analysis and could result in large and complex APIs.
  • Any JSSE implementation of a new API would be free to choose the "best" I/O & compute strategy, but hiding any of these details is inappropriate for those applications needing full control. Any specific implementation would be inappropriate for some application segment.

See: JSSE Reference Guide

I believe that the goal here is to allow the developer full control of the implementation so as to not make the package unusable.

Alternative to SSLEngine

You can also use Jetty or something like it:

There used to be something called "SslSelectChannelConnector" which might work depending on what you have available in your environment. However, "SslSelectChannelConnector" has since been deprecated (I think since version 9)?

The replacement is org.eclipse.jetty.server.SslConnectionFactory

You can see the full docs here: Jetty Docs 9.4.7.v20170914

Here is an example of SslConnectionFactory being used: Eclipse Github Example

You may find this "Embedded Jetty" method interesting as well: Embedded Jetty Example

njfife
  • 3,555
  • 1
  • 20
  • 31
  • Thanks @njfife, I am interested in an implementation of an SSLSocketChannel that would extend the SocketChannel indeed. Took a look at your suggestions but none has Selector functionality. Too bad Oracle does not have it (however complex, it seems it would be a huge benefit of having just that). – Arteri Xhafur Sep 27 '17 at 01:35
0

The fundamental problem is that you cannot internally implement SSLEngine on a NBIO socket without a Selector Thread because the SSLEngine may have to read/write data at times when your code is not reading or writing. The performance would be abysmal if implemented this way.

Johnny V
  • 795
  • 5
  • 14
  • Agreed with your reasoning, so the implementation may need to use a Selector Thread. But that wouldn't be a show stopper though, right? Pinging @EJP since he may have that implementation. – Arteri Xhafur Oct 05 '17 at 00:04
-1

A very good example of sslEngine can be found at below git repo : https://github.com/jesperdj/sslclient/blob/master/src/main/java/com/jesperdj/sslclient/SSLSocketChannel.java

Dharman
  • 30,962
  • 25
  • 85
  • 135
Ashok Kumar
  • 1,226
  • 1
  • 10
  • 14
  • why is this answer down voted ? For me this link indeed helped me to implement the read operation for sslengine. – Ashok Kumar Aug 14 '20 at 15:10