1、SSL Handshaking
可以通過HandshakeCompletedListener對握手協議進行監聽,使用HandshakeCompletedEvent對象獲取握手協議使用的加密套件、雙方使用的證書等信息。
2、JSSE Permissions
To use some features of JSSE in an environment in which a security manager has been installed, untrusted code will need the following permissions:
permission com.sun.net.ssl.SSLPermission "setHostnameVerifier";
permission com.sun.net.ssl.SSLPermission "setDefaultAuthenticator";
permission com.sun.net.ssl.SSLPermission "getSSLSessionContext";
3、HTTPS Properties
java.protocol.handler.pkgs:定義了類運行時使用的處理協議
https.proxyHost: If you must go through a proxy server to access the URL in question, set this property to the name of the proxy server.
https.proxyPort If you must go through a proxy server that resides on a port other than 80, set this property to the port number.
http.nonProxyHost:需要直接訪問的本機,http和https通用
If there are hosts on your local network that should be accessed directly (rather than through the proxy
host), set this property to a list of those hosts. The hosts should be separated by the pipe (|) symbol:
www.sun.com|www.ora.com. Note that this property applies to both the HTTP and HTTPS protocols,
despite its name (there is no separate https.nonProxyHost property).
https.cipherSuites:加密套件
If you want to use a particular set of SSL cipher suites, set this property to a list of comma−separated
suites that you wish to use.
4、
Several exceptions are thrown by the JSSE API. These are often self−explanatory. For example, if you
attempt to retrieve the certificate chain of a peer from the SSLSession object, you will get an
SSLPeerUnverifiedException if the peer is not verified. However, you will get a SocketException with the somewhat cryptic detail message of "No SSL Sockets" if you specify an
incorrect password for a keystore used by an SSL context or an SSL socket factory.
一些異常是很明瞭的,比如,如果對方的證書不能驗證通過,那麼會拋出SSLPeerUnverifiedException異常。
如果使用了錯誤的keystore密碼,那麼會顯示No SSL Sockets信息,並拋出SocketException
5、
Exceptions are not always thrown when you might expect, however. In particular, an SSL socket will become
connected at the socket level even if the SSL protocol negotiation fails. For instance, when an SSL client calls
the createSocket( ) method, it will receive a valid socket even if it is unable to verify the identity of the
server to which it is connecting (because, for example, the client used the incorrect truststore). If the client
attempts an SSL operation on the socket (such as retrieving the certificate chain in order to verify the server's
hostname), an exception will be thrown. If, however, the client just uses the socket, no exception will occur:
the write( ) method will succeed. In this case, the server can read from the socket, but it will get no data.
Similarly, the server can write data to the client and the client will see that data was written but be unable to
read that data.
SSLSocket可以使用基本的socket連接,即使SSL協商失敗。例如,客戶端調用createSocket()方法,即使客戶端不能驗證服務器證書,也可以接收到一個
可用的socket,如果客戶端企圖使用SSL操作(例如,返回證書鏈,驗證服務器主機名字),將會拋出一個異常。如果客戶端只是使用普通的socket,將不會拋異常,
寫操作就會成功。在這種情況下,服務端可以從socket讀取數據,但是不會讀取到任何東西,同樣,服務器可以向socket寫數據到客戶端,客戶端可以看到數據,但是不能讀取到數據。
In our simple test program, this manifests itself with the following output:
piccolo% java SSLSimpleClient localhost 9096
Who is Sylvia?
null