Registering to receive event notification of SSLSocket handshake completion
https://stackoverflow.com/questions/10437475
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianВопрос
According to the documentation on SSLSocket:
You may register to receive event notification of handshake completion.
Why would you not register for this? Does the fact that SSLSocket.startHandshake() succeeds without an SSLException occurring ensure that certificates are trusted? Or do you get some extra level of assurance by waiting for the handshake to complete?
Решение
There are 3 conditions to start the handshake on an SSLSocket:
- calling startHandshake which explicitly begins handshakes, or
- any attempt to read or write application data on this socket causes an implicit handshake, or
- a call to getSession tries to set up a session if there is no currently valid session, and an implicit handshake is done.
Any handshake failure will generate an exception (including when the certificate isn't trusted):
If handshaking fails for any reason, the SSLSocket is closed, and no futher communications can be done.
Often, calling startHandshake() explicitly when establishing the connection is unnecessary, since the handshake is initiated when you start reading from the inputstream (or writing to the outputstream). Any failure there would cause an exception and stop the normal control flow. You don't need to register explicitly to capture the completion of the handshake in those cases: if you can read/write from the streams, it's done.
The notification of handshake completion is mostly useful if you're a server asking for re-negotiation (by calling startHandshake() after some application data has been exchanged). In this case, you may want to wait for that handshake to have completed before proceeding. For example, if the server requests a client-certificate after receiving an HTTP request for a particular path, it may want to wait for the handshake to complete successfully to be able to authorise the client-certificate, before sending the response. This is because startHandshake() doesn't stop the flow of application data:
If data has already been sent on the connection, it continues to flow during this handshake.
