It looks like MINA should be exposing a way to add a HandshakeCompletedListener to the SSLSocket. Using an extended TrustManager gives you no way of getting access to the underlying socket (that I can see), so you cannot verify the host since you do no know where the client was connecting to.
I checked on the Sun JSSE forums, and it looks like this is the expected way to implement this behaviour ( http://forums.sun.com/thread.jspa?threadID=5396352). Does anyone know of a way that this can be implemented in MINA 1.1.7? On Wed, Jul 8, 2009 at 7:35 PM, Shaun Senecal <[email protected]>wrote: > Ya, I considered doing this as well, but I thought there had to be a > "default" way of doing this. It seems like this is something that every > X509TrustManager would want to do. Not sure why Sun's implementation > wouldnt do it. > > > > On Wed, Jul 8, 2009 at 6:18 PM, Viktor Balazs <[email protected]>wrote: > >> Hi, >> >> I'm using an own implementation of X509TrustManager interface. >> >> When I create a new SSLContext to Mina's SslFilter I can use my trust >> manager: >> >> public SslFilter createClientFilter() throws Exception { >> SslFilter result = null; >> >> SSLContext sslContext = SSLContext.getInstance("TLS"); >> sslContext.init(null, new TrustManager[] { new >> MyTrustManagerImpl() }, null); >> >> result = new SslFilter(sslContext); >> result.setUseClientMode(true); >> >> return result; >> } >> >> >> 2009/7/8 Shaun Senecal <[email protected]>: >> > I am using MINA 1.1.7 to implement a custom service using TLS and a >> custom >> > protocol. I have everything working in that communication is encrypted, >> > however, there doesnt seem to be any host name verification. ie, the >> URL I >> > am using to connect to the server does NOT match the CN of the >> certificate >> > that the server returns and no exception is thrown. Is there a way to >> > enable this verification? Is this something I need to implement myself? >> > >> > It looks like JSSE does not provide this functionality at the SSL level, >> but >> > provides it at the HttpsURLConnection level. I guess this means I need >> to >> > implement it myself, but I dont see where I can inject this verification >> > code since I need access to the server certificate as well as the URL. >> Any >> > ideas? >> > >> > >
