Debugging JSSE
Code that is involved in an SSL conversation can be tricky to debug because many of the details that you’d normally handle yourself (key exchange, certificate verification, and so on) are hidden from you. When these operations don’t work, it can be difficult to figure out what went wrong.
Complicating this is the fact that setting up an SSL connection is a
time-consuming operation. Both parties in the conversation must
create a secure random number (an instance of the
SecureRandom
class if they are Java programs).
Then the peers must negotiate which key exchange algorithm to use and
actually perform the key exchange. Only then is the socket available
to send and receive data. So our first tip in working with SSL code
is to be patient when you start a program.
Several exceptions are thrown by the JSSE API. These are often
self-explanatory. For example, if you attempt to retrieve the
certificate chain of a peer from the SSLSession
object, you will get an
SSLPeerUnverifiedException
if the peer is not verified. However, you will get a
SocketException
with the somewhat cryptic detail
message of “No SSL Sockets” if you specify an incorrect
password for a keystore used by an SSL context or an SSL socket
factory.
Exceptions are not always thrown when you might expect, however. In
particular, an SSL socket will become connected at the socket level
even if the SSL protocol negotiation fails. For instance, when an SSL
client calls the createSocket( )
method, it will receive ...
Get Java Security, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.