I have an Android app which uses a Java TCP client to connect to a Java TCP application server.
In some cases I noticed firewalls or routers that block the port I am using can cause issues so I am trying to use a secure connection.
I have tried using the examples from this link:
SSLServerSocket but I am always getting a connection timeout.
Server code:
ServerSocketFactory sslServerSocketFactory = SSLServerSocketFactory.getDefault();
serverSocket = sslServerSocketFactory.createServerSocket(port, backlog);
Socket socket = serverSocket.accept(); ---> in a new thread
Client code:
SocketFactory socketFactory = SSLSocketFactory.getDefault();
clientSocket = socketFactory.createSocket();
clientSocket.connect(new InetSocketAddress(host, port), READ_TIMEOUT); ---> timeout on this line
I also tried the more complicated examples in the link but all resulted in a timeout.
I really want to understand what's wrong with this very simple example.
If it's not the way to work with SSL (I see no mention of certificates in this code at all, which I think is necessary in SSL) then why is it given as a working example?
Any help would be appreciated.
Related
I'n using Kotlin coroutines to setup a Java serversocket in Android studio 4.0 Beta 5. I'm running in the emulator on Windows 10. When my very reliable c language socket client attempts to connect using 127.0.0.1 as the IP it receives error 10061. The same client program has worked well for many years with a Java Swing socketserver.
Google give the following explanation for error 10061:
10061 is a Connection Refused error sent to you by the server. You could not make a
connection because the target machine actively refused it. The most common cause is a
misconfigured server, full server, or incorrect Port specified by the client.
Here's my code snippet
int myPort = 8080;
String localIP = InetAddress.getLocalHost().getHostAddress();
ServerSocket srv = new ServerSocket();
String hostname = InetAddress.getLocalHost().getHostName();
srv.bind(new InetSocketAddress(hostname,myPort));
srv.setSoTimeout(socketAcceptTimeOut); //This sets the timeout on the accept
Socket cli = srv.accept();
I used the server bind based on another stackoverflow answer but it did't help when I removed it. In any case I believe the serversocket is listening at 127.0.0.1. I'm using port 8080 but I've tried a few others.
On the Android side the srv.accept is just timing out.
What am I missing?
Thanks
I have an SSL-enabled tcp server that can listen to multiple rsyslog clients. Each client has its own certificate that is added in the server's truststore. This setup is working fine. TThe question is whether there is a way to get the client certificate information like CN, location etc. after the socket accepts connection?
Below is the code sample of simple tcp server.
SSLServerSocketFactory sf = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
ServerSocket ss = sf.createServerSocket(514);
while(true){
SSLSocket s = (SSL)ss.accept();
// here I need to get client certificate information
}
You need to configure the SSLServerSocket to need or want client authentication, depending on which of those applies. Then you can get the peer certificates out of the SSLSocket's SSLSession, if they were sent.
Unfortunately I'm completely new to SSL. Currently I'm trying to set up a secure connection between a client and a server application in Java and the following code works for me (transmitted data is encrypted), but I don't know if this is a correct and secure solution.
Client side:
socket = (SSLSocket) SSLSocketFactory.getDefault().createSocket(host, port);
socket.setUseClientMode(true);
socket.setEnabledCipherSuites(socket.getSupportedCipherSuites());
socket.startHandshake();
Server side:
sslServerSocket = (SSLServerSocket) serverSocketFactory.createServerSocket(requestPort());
sslServerSocket.setUseClientMode(false);
sslServerSocket.setEnabledCipherSuites(sslServerSocket.getSupportedCipherSuites());
It is not advisable to enable all ciphers/protocols. Better that you enabled only the ciphers and protocols you want. If both server and server is written by you, choose what you want and configure only that.
socket.setEnabledCipherSuites(...);
socket.setEnabledProtocols(...);
Supported ciphers and protocols can be seen in JSSE documentation
Or you can use "jdk.tls.disabledAlgorithm" to control what algs you want to use.
I want to have a SSL encrypted TCP server on the android device and a client on the computer which will connect to the device.
I create a SSLServerSocket on the Android device with an own keystore.
final KeyStore localTrustStore = KeyStore.getInstance("BKS"); //NON-NLS
final InputStream in = context.getResources().openRawResource(R.raw.syncapp);
localTrustStore.load(in, "secret".toCharArray()); //Keystore pw
in.close();
final SSLContext sslContext = SSLContext.getInstance("TLSv1.2"); //NON-NLS
final TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(localTrustStore);
final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(localTrustStore, "secret".toCharArray()); //privat key pw
sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
serverSocket = sslContext.getServerSocketFactory().createServerSocket(SERVER_PORT);
((SSLServerSocket) serverSocket).setNeedClientAuth(true);
Then I wait for a client to connect. When a client wants to connect a new thread is started and the streams get demanded:
final DataInputStream input = new DataInputStream(this.clientSocket.getInputStream());
final DataOutputStream output = new DataOutputStream(new BufferedOutputStream(clientSocket.getOutputStream()));
First I used this code with USB-Tethering to gain a connection between the computer and the android device. So no Wifi/Network was enabled. Everything worked perfectly.
Then I activated the wifi on the android device and connect to a wlan without internet.
But now the call to getInputStream() seems to take 5 to 10 seconds.
If I deactivate SSL it works perfectly.
If the wlan does connect to the internet there is no delay as well.
I tested this with Android 4.2 and 5.1.
Update: Now I could test this issue with Android 6. And the issue seems to be fixed there...
The Handshake is finished correctly but after that there seems to be some sort of delay on the android device. (The call to getInputStream consumes that time)
Some devs are saying that it will do a DNS reverse lookup which will run into a timeout.
Take a look at the capture, the first connection was made while wifi was disabled. It took 0.3 sec to make the data transfer. Then I just activated the wifi, I didn't connect over the wifi, it still communicates over usb. And it took over 5 sec.
I found the issue here as well, but they are using a client socket. I need a server socket. Does anyone have any idea how to fix this issue?
TLS connection using SSLSocket is slow in Android OS
You are right that there is a reverse DNS lookup that is timing out. In certain Java Runtime Environments, during the handshake with a raw IP address, the SSLContext unnecessarily performs a lookup of the server's IP address. This is to determine if the common name of the server certificate matches. Try using one of the solutions mentioned here:
How to disable Java's SSL Reverse DNS Lookup
The initial problem we encountered was that a regular FTPs download started failing due to an untrusted server certificate. This prompted us to wonder whether the certificate had been updated without the counterparty notifying us so we wanted to download the current certificate and compare it to the one we have in our keystore.
This seems to be a trickier problem than we had anticipated. The usual suspects (firefox, filezilla, ...) did not seem up to the task of connecting to an FTPs server through an FTP proxy so out of curiosity I started playing around with a more low level java approach. I can not for the life of me get it to work though.
First (overly simplistic) java attempt:
// create proxy connection
SocketFactory plainFactory = SocketFactory.getDefault();
Socket proxy = plainFactory.createSocket(proxyServer, proxyPort);
// create ssl connection on top of it?
SSLSocketFactory sslFactory = getSocketFactory();
SSLSocket socket = (SSLSocket) sslFactory.createSocket(proxy, server, port, true);
This approach obviously does not work.
Next I started playing around with ftp4j (http://www.sauronsoftware.it/projects/ftp4j/) it seems to have a clean and accessible codebase:
FTPClient client = new FTPClient();
client.setConnector(new FTPProxyConnector(proxyHost, proxyPort));
client.getConnector().setConnectionTimeout(0);
client.getConnector().setReadTimeout(0);
client.setSSLSocketFactory(getSocketFactory());
// also tried SECURITY_FTPS
client.setSecurity(FTPClient.SECURITY_FTPES);
client.connect(server, port);
This outputs:
REPLY: 220 Blue Coat FTP Service
SEND: USER anonymous
REPLY: 530-User Access denied.
REPLY: 530-
REPLY: 530-Usage: USER username#hostname
REPLY: 331 PASS userpassword
Exception in thread "main" java.io.IOException: Invalid proxy response
The proxy server has optional authentication and on our development servers we generally use "user#host" without proxy authentication. As such I assume the username, hostname and password are those of the remote server?
So I tried adding the remote parameters, this does not work:
REPLY: 220 Blue Coat FTP Service
SEND: USER test#ftps.example.com
Exception in thread "main" java.io.IOException: FTPConnection closed
Adding the proxy user to match the bluecoat format does not seem to work either:
USER %u#%h %s
PASS %p
ACCT %w
Any help with either of these two problems would be most welcome:
how to retrieve the server certificate from an ftps server through an ftp proxy
how to connect to an ftps server through an ftp proxy in java
You might want to try Apache Net commons libs.
Here is a similar thread that uses that Net Commons library
Net commons also has a fully functional FTP Client Example so you can test with something you know works.