How to hook a listener to the SSL Handshake?

Question

i would like to be notifyed when a new SSL Connection starts and the handshake begins. I need to get the Certificate before the keystore gets invoked.

Is there some way to register a listener to this process so i get to decide whether the certificate is ok and should be checked against the keystore or cancel it rightaway.

Something like this, but for SMTP Connections:

URL req = new URL(getUrl);

HttpsURLConnection con = (HttpsURLConnection) req.openConnection();

con.setHostnameVerifier(new HostnameVerifier()
{

    public boolean verify(String hostname, SSLSession session)
    {
        return true; //My decision
    }
});

I'm using the JAMES Email server 2.3.2 (if that means something).

Thank you in advance!

Answer 1

You need to set the SSLFactory of the connection. The following example uses no key-manager and a default TrustManager. Your checks will go in the checkServerTrusted method.

HttpsURLConnection con = (HttpsURLConnection) req.openConnection();
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, // No Key Manager
             new TrustManager[] { new X509TrustManager()
               {
                 @Override
                 public void checkClientTrusted(X509Certificate[] arg0, String arg1)
                     throws CertificateException
                   {}

                 @Override
                 public void checkServerTrusted(X509Certificate[] arg0, String arg1)
                     throws CertificateException {
                      // check the certs
                 }

                 @Override
                 public X509Certificate[] getAcceptedIssuers()
                   {
                     return null;
                   }

               } }, // TrustManager 
             new java.security.SecureRandom());
con.setSSLSocketFactory(context.getSocketFactory());