Is SSLSocket communication secure using the attached code?

Question

I developed a Chat Server and client using Sockets and everything has been fine until I read somewhere online that ordinary Socket communication is vulnerable to attacks. After googling a while, I came across this page that showed a sample SSLServerSocket and SSLSocket implementation (code below).

I will like to know if the communication between my server and client is secure if I follow steps in the below code.

Server Code

class EchoServer {
  public static void main(String[] args) throws IOException {
    SSLServerSocket sslServerSocket = null;
    try {
      SSLServerSocketFactory sslServerSocketFactory = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
      sslServerSocket = (SSLServerSocket) sslServerSocketFactory.createServerSocket(9999);
      SSLSocket sslSocket = (SSLSocket) sslServerSocket.accept();
      PrintWriter out = new PrintWriter(sslSocket.getOutputStream(),true);
      BufferedReader in = new BufferedReader(new InputStreamReader(sslSocket.getInputStream()));
      String inputLine;
      while ((inputLine = in.readLine()) != null) {
        System.out.println(inputLine);
        out.println(inputLine);
      }
    } finally {
      if (sslServerSocket != null) {
        try {
          sslServerSocket.close();
        } catch (IOException x) {
          // handle error
        }
      }
    }
  }
}

Client Code

class EchoClient {
  public static void main(String[] args) throws IOException {
    SSLSocket sslSocket = null;
    try {
      SSLSocketFactory sslSocketFactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
      sslSocket = (SSLSocket) sslSocketFactory.createSocket("localhost", 9999);
      PrintWriter out = new PrintWriter(sslSocket.getOutputStream(), true);
      BufferedReader in = new BufferedReader(new InputStreamReader(sslSocket.getInputStream()));
      BufferedReader stdIn = new BufferedReader(new InputStreamReader(System.in));
      String userInput;
      while ((userInput = stdIn.readLine()) != null) {
        out.println(userInput);
        System.out.println(in.readLine());
      }
    } finally {
      if (sslSocket != null) {
        try {
          sslSocket.close();
        } catch (IOException x) {
          // handle error
        }
      }
    }
  }
}

This question appears to be off-topic because it is about a code review. — aliteralmind, Jul 12 '14 at 02:13
@AbidingCitizen - Following aliteralmind, you might try here: [Code Review Stack Exchange](http://codereview.stackexchange.com/). — jww, Jul 12 '14 at 02:50
I disagree. The OP is asking about properties of the existing code, not whether it can be coded better. — user207421, Jul 12 '14 at 03:06

user207421 · Accepted Answer · 2014-07-12T03:09:05.990

1

You should get the peer certificate via a HandshakeCompletionListener or the SSLSession to verify that you're talking to the host you think you're talking to. Other than that your code is OK from the security point of view.

However you should also be aware that you shouldn't use PrintWriter over a network, as it swallows exceptions.

edited Jul 12 '14 at 03:09

answered Jul 12 '14 at 03:03

user207421

305,947
44
307
483

Thanks once again for coming to my rescue. – AbidingCitizen Jul 12 '14 at 06:55
1

Another way to check the hostname (not available before Java 7) is to use [setEndpointIdentificationAlgorithm("HTTPS")](http://stackoverflow.com/a/17979954/372643). – Bruno Jul 12 '14 at 17:05
@Bruno Thanks, will take note of that – AbidingCitizen Jul 12 '14 at 22:45

Is SSLSocket communication secure using the attached code?

1 Answers1