Java SSL renegotiation (from SSL to clear channel)
https://stackoverflow.com/questions/812275
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm doing something in Java SE that would require me to use SSL in an unusual way.
The required steps would be something like:
- Establish an SSL session;
- Exchange some private information;
- Renegotiate connection parameters to stop using cryptographic operations.
I haven't found in the Java API a way to to this. I believe that the problem solution would somehow be addressed by using the session renegotiation but with a cipher suite with no cryptographic operations, but there isn't such an option; or to access the underling socket and bypass cryptographic operations.
Are any of these options possible? Do you believe that such functionality would be available in other languages and frameworks (C, PHP, Ruby, .NET, Perl, Python, etc.)?
Thanks for the help,
Luís M. Costa
Solution
You could do something like this in Java, but it's definitely not standard. I can't vouch for other platforms having the necessary support for this.
The JSSE provides support for transport-independent SSL with the SSLEngine. You could use this to temporarily "decorate" a socket with SSL, then turn it off when you are done and use the raw socket IO directly.
I can't guess why you'd want to turn off SSL once you had gone to the expense of negotiating the SSL session. If it is for the sake of performance, you can renegotiate the cipher suite to use "NULL" confidentiality and integrity protocols, as long as both parties allow it. You'd still have a little overhead in the SSL record layer. However, the overhead of SSL after the session parameters have been negotiated is extremely low. If your application is that sensitive to this overhead, you might want to consider dedicated SSL hardware.
OTHER TIPS
One reason to turn off SSL on the existing socket is for implementing the FTP clear control channel (CCC) command (FTP over TLS). This switches the control channel back to cleartext so that firewalls can see the dynamic port request.
Why not just drop the connection and reconnect? There would be less overhead in establishing a TCP connection that in renegotiating SSL.
To renogotiate the transparent cipher I guess you will have at least to enable it, as it is not by default enabled. But I think there is no good "null"cipher for that and it would be better to detach the SSL Sockets from the underlying socket.
SSLEngine#setEnabledCipherSuites(new String(){"SSL_RSA_WITH_NULL_SHA"});
SSLEngine#beginHandshake();
