Https jsse ssl 研究3

1、SSL Handshaking

    可以通过HandshakeCompletedListener对握手协议进行监听,使用HandshakeCompletedEvent对象获取握手协议使用的加密套件、双方使用的证书等信息。

2、JSSE Permissions

To use some features of JSSE in an environment in which a security manager has been installed, untrusted code will need the following permissions:

permission com.sun.net.ssl.SSLPermission "setHostnameVerifier";
permission com.sun.net.ssl.SSLPermission "setDefaultAuthenticator";
permission com.sun.net.ssl.SSLPermission "getSSLSessionContext";

3、HTTPS Properties

java.protocol.handler.pkgs:定义了类运行时使用的处理协议

https.proxyHost:         If you must go through a proxy server to access the URL in question, set this property to the name of the proxy server.         

 https.proxyPort         If you must go through a proxy server that resides on a port other than 80, set this property to the port  number.              

 

http.nonProxyHost:需要直接访问的本机,http和https通用
If there are hosts on your local network that should be accessed directly (rather than through the proxy
host), set this property to a list of those hosts. The hosts should be separated by the pipe (|) symbol:
www.sun.com|www.ora.com. Note that this property applies to both the HTTP and HTTPS protocols,
despite its name (there is no separate https.nonProxyHost property).


https.cipherSuites:加密套件
If you want to use a particular set of SSL cipher suites, set this property to a list of comma−separated
suites that you wish to use.

 

 

4、

 

Several exceptions are thrown by the JSSE API. These are often self−explanatory. For example, if you
attempt to retrieve the certificate chain of a peer from the SSLSession object, you will get an
SSLPeerUnverifiedException if the peer is not verified. However, you will get a SocketException with the somewhat cryptic detail message of "No SSL Sockets" if you specify an
incorrect password for a keystore used by an SSL context or an SSL socket factory.

一些异常是很明了的,比如,如果对方的证书不能验证通过,那么会抛出SSLPeerUnverifiedException异常。

如果使用了错误的keystore密码,那么会显示No SSL Sockets信息,并抛出SocketException

 

5、

Exceptions are not always thrown when you might expect, however. In particular, an SSL socket will become
connected at the socket level even if the SSL protocol negotiation fails. For instance, when an SSL client calls
the createSocket( ) method, it will receive a valid socket even if it is unable to verify the identity of the
server to which it is connecting (because, for example, the client used the incorrect truststore). If the client
attempts an SSL operation on the socket (such as retrieving the certificate chain in order to verify the server's
hostname), an exception will be thrown. If, however, the client just uses the socket, no exception will occur:
the write( ) method will succeed. In this case, the server can read from the socket, but it will get no data.
Similarly, the server can write data to the client and the client will see that data was written but be unable to
read that data.

SSLSocket可以使用基本的socket连接,即使SSL协商失败。例如,客户端调用createSocket()方法,即使客户端不能验证服务器证书,也可以接收到一个

可用的socket,如果客户端企图使用SSL操作(例如,返回证书链,验证服务器主机名字),将会抛出一个异常。如果客户端只是使用普通的socket,将不会抛异常,

写操作就会成功。在这种情况下,服务端可以从socket读取数据,但是不会读取到任何东西,同样,服务器可以向socket写数据到客户端,客户端可以看到数据,但是不能读取到数据。

In our simple test program, this manifests itself with the following output:
piccolo% java SSLSimpleClient localhost 9096
Who is Sylvia?
null
                     

你可能感兴趣的:(exception,socket,server,ssl,permissions,Sockets)