2

I was working with 8.0 version of Websphere application server. I was trying to get SSLSocketFactory from JSSEHelper. Although

  1. I have successfuly got the SSLSocketFactory
  2. I have successfuly got the SSLSocket from SSLSocketFactory
  3. I have successfuly established the secure connection,

but cipher suites provided in ClientHello message corresponded neither to

  1. CellDefault SSL Settings/NodeDefault SSL Settings/NodeDefaultnor
  2. nor to my own custom SSL configuration.


The solution to this problem was to avoid retrieving SSLSocketFactory from JSSEHelper. Instead of using JSSEHelper, I should use static method getDefault() from SSLSocketFactory class in whis way: 

public SSLSocket getSslSocket(Properties sslProps) {

SSLSocketFactory factory = SSLSocketFactory.getDefault();

SSLSocket socket = null;
try {
    socket = (SSLSocket) factory.createSocket();
} catch (IOException e) {
    e.printStackTrace();
}
return socket;

}

More details can be found here:
Could anybody please clarify why this statement:

slSocketFactory = jsseHelper.getSSLSocketFactory(sslMap, sslProps)

returns incorrect 'SSL socket factory' while this statement 

SSLSocketFactory.getDefault()

returns the correct one?
Moreover, in what case should I use factory retrieved from these statements respectively?

  1. SSLSocketFactory.getDefault();
  2. jsseHelper.getSSLSocketFactory(sslMap, sslProps)
  3. getSSLSocketFactory(java.lang.String sslAliasName, java.util.Map connectionInfo, SSLConfigChangeListener listener)

Thank you very much

Michael K
  • 111
  • 2
  • 8
  • Ciphers are set on the the SSL socket. If you are using the WAS custom socket factory the ciphers will be set directly on the SSL socket. In the case where you are calling SSLSocketFactory.getDefault() on WebSphere you will get a WebSphere custom SSLSocketFactory, and WAS will handle setting the ciphers on the SSL socket that is returned. When you get a SSLSocketFactory from the JSSE your are getting the JSSE SSLSocketFactory created based on the SSL configuration information like eg keystore and truststore, but we can't set the ciphers on the socket factory. – Alaine Dec 29 '17 at 20:00
  • Use JSSEHelper.getSSLSocketFactory(connectionInfo, properties) if you want a SSLSocketFactory built based on particular properties or an dynamic outbound connection match to the connectionInfo. Use JSSEHelper.getSSLSocketFactory(alias, connectionInfo, listener) to get a socket factory for a particular SSL configuration, based on connection info or one associated with a listener. I will return a JSSE socket factory that is not setting the ciphers on the factory. – Alaine Dec 29 '17 at 20:14
  • Thank you very much indeed. This was very helpful! – Michael K Jan 02 '18 at 09:51

1 Answers1

0

Although it is not intuitive, statement:

SSLSocketFactory factory = SSLSocketFactory.getDefault();

returns the WebSphere custom SSLSocketFactory.

Then you can enforce SSL-configuration on thread in this way:

    Properties sslProperties = getProperties();
    jsseHelper.setSSLPropertiesOnThread(sslProperties);
    SSLSocket socket = getSslSocket();
    CommonIO.writeToSocket(socket, "127.0.0.1", 1234);
    jsseHelper.setSSLPropertiesOnThread(null);

Although JSSEHelper.getSSLSocketFactory(sslMap, sslConfig_XYZ) returns also factory but their sockets ignore cipher suites encapsulated in SSL-configuration sslConfig_XYZ.

On the other hand, if you want to enforce only

  1. protocol
  2. keystore
  3. truststore

this method:

JSSEHelper.getSSLSocketFactory(sslMap, sslConfig_XYZ)

is sufficient enough.

Michael K
  • 111
  • 2
  • 8