SSLSocket over another SSLSocket

Question

I'm writing an Android client for a system that requires me open an SSLSocket to a proxy server, do a tunnel handshake and then create ANOTHER SSLSocket over the tunnel. Here is my code to create the tunnel:

    SSLSocketFactory sslsocketfactory = securityService.getSslContextNoCerts().getSocketFactory();
    SSLSocket sslSocket = (SSLSocket) sslsocketfactory.createSocket(proxyAddress.getAddress(),
            proxyAddress.getPort());
    sslSocket.setEnabledProtocols(new String[] { SecurityService.TLS10 });
    sslSocket.setEnabledCipherSuites(SecurityService.CIPHERS);
    sslSocket.startHandshake();

Then I do tunnel handshake and then:

    SSLSocketFactory sslsocketfactory = securityService.getSslContext().getSocketFactory();
    hostSocket = (SSLSocket) sslsocketfactory.createSocket(tunnel,
            InetAddress.getByAddress(remoteAddress.getIpAddress()).getHostAddress(),
            remoteAddress.getPort(), false);
    hostSocket.setUseClientMode(false);
    hostSocket.setNeedClientAuth(true);
    securityService.setEnabledProtocols(hostSocket);
    hostSocket.setEnabledCipherSuites(SecurityService.DATASESSION_CIPHERS);
    hostSocket.startHandshake();

At this point I get an SSLProtocolException with this message:

error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol (external/openssl/ssl/s23_srvr.c:589 0xad12b3f0:0x00000000)

Anybody know how I can achieve this? I know your first question would be why layer SSL over SSL, but I'm writing a client for and EXISTING system that requires it.

Any help would be much appreciated. Zhubin

score 0 · Accepted Answer · answered Nov 23 '12 at 20:06

0

Ok I finally fixed this problem. For some reason when I use org.apache.harmony.xnet.provider.jsse.OpenSSLProvider (Android default SSL provider), SSL over SSL does not work. So I switched to org.apache.harmony.xnet.provider.jsse.JSSEProvider and now everything works fine.

answered Nov 23 '12 at 20:06

Zhubin Salehi

281
1
5
14

How did you switch the SSL provider? – FD_ Jan 09 '17 at 18:58
I think I figured out how to use a different Provider. Didn't help in my case unfortunately. – FD_ Feb 07 '17 at 17:44

user207421 · Answer 2 · 2012-11-20T23:52:44.520

-1

Your code looks correct. As it doesn't work, I suggest you have misunderstood the requirement, or it has been misrepresented to you. I suggest you only need to keep using the original SSLSocket. Try it. I find it vanishingly unlikely that any real system works in the way you have described. Not only would its performance be abysmal; the server would have to have the same kind of double-SSL coding that you have here: and how would it know when to do that and when not? Once the tunnel is created the proxy just copies bytes. I bet that just continuing to use the original SSL connection will work.

edited Nov 20 '12 at 23:52

answered Nov 20 '12 at 22:04

user207421

305,947
44
307
483

Still no luck. I've tried almost anything and still getting the same error. I spoke to one of the developers who works on the C++ client and he confirmed that the protocol is SSL over SSL and a separate handshake for each of them. The proxy server is also developed in-house. – Zhubin Salehi Nov 21 '12 at 16:23
@ZhubinSalehi Why are you setting useClientMode=false and needClientCert=true? Is the peer really going to behave as an SSL client? Try it without those two lines. – user207421 Nov 21 '12 at 22:59
I tried without those lines even though I need them and still no luck. This is a client in an RFB protocol. When direct connection is possible, client listens on a SSLServerSocket and the server connects to it. When direct connection is not possible, both client and server connect to a proxy server and after tunnel handshake they connect the same way as in direct connection. – Zhubin Salehi Nov 22 '12 at 16:18

SSLSocket over another SSLSocket

2 Answers2

Linked