Navigating the parils of SSLv2 with HttpClient

Sslv3SocketFactory.java

package co.cantina.http;

import java.io.IOException;
import java.net.Socket;

import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocket;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.http.conn.ssl.SSLSocketFactory;
import org.apache.http.conn.ssl.X509HostnameVerifier;
import org.apache.http.params.HttpParams;

/**
 * An {@link SSLSocketFactory} supporting only SSLv3 and TLSv1 sockets.
 * 
 * @author jdolan
 * 
 */
public class Sslv3SocketFactory extends SSLSocketFactory {

	private final Log log = LogFactory.getLog(getClass());

	/**
	 * Instantaites a new {@link Sslv3SocketFactory}.
	 * 
	 * @param sslContext
	 *            The SSLContext.
	 * 
	 * @param hostnameVerifier
	 *            The X509HostnameVerifier.
	 */
	public Sslv3SocketFactory(SSLContext sslContext, X509HostnameVerifier hostnameVerifier) {
		super(sslContext, hostnameVerifier);
	}

	@Override
	public Socket createSocket(HttpParams params) throws IOException {

		if (log.isDebugEnabled()) {
			log.debug("createSocket: " + params);
		}

		SSLSocket socket = (SSLSocket) super.createSocket(params);

		socket.setEnabledProtocols(new String[] { "SSLv3", "TLSv1" });

		return socket;
	}
}

TrustingHttpClient.java

package co.cantina.http;

import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;

import javax.net.ssl.SSLContext;
import javax.net.ssl.X509TrustManager;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.http.conn.scheme.Scheme;
import org.apache.http.conn.ssl.SSLSocketFactory;
import org.apache.http.impl.client.DefaultHttpClient;

/**
 * A {@link DefaultHttpClient} which accepts any and all X509 certificates. This
 * is useful when an encrypted channel, but not necessarily a trusted channel,
 * is required (e.g. self-signed certificate). This approach is vulnerable to a
 * man-in-the-middle attack, but is often useful in development scenarios where
 * self-signed certificates are frequently used.
 * 
 * @author jdolan
 * 
 */
public class TrustingHttpClient extends DefaultHttpClient {

	private static final Log log = LogFactory.getLog(TrustingHttpClient.class);
	
	private static SSLSocketFactory sslSocketFactory;

	static {
		// A no-op X509TrustManager that accepts all issuers
		X509TrustManager trustManager = new X509TrustManager() {

			@Override
			public void checkClientTrusted(X509Certificate[] chain, String authType)
					throws CertificateException {
			}

			@Override
			public void checkServerTrusted(X509Certificate[] chain, String authType)
					throws CertificateException {
			}

			@Override
			public X509Certificate[] getAcceptedIssuers() {
				return new X509Certificate[] {};
			}
		};

		// An SSLContext that employs the no-op X509TrustManager
		SSLContext sslContext = null;

		try {
			sslContext = SSLContext.getInstance("TLS");
			sslContext.init(null, new X509TrustManager[] { trustManager }, null);

		} catch (Throwable t) {
			log.error(t, t);
		}

		// An SSLSocketFactory that employs the no-op X509HostnameVerifier, and
		// that supports only SSLv3 and TLS protocols (no SSLv2)
		sslSocketFactory = new Sslv3SocketFactory(sslContext, SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
	}
	
	/**
	 * Instantiates a new TrustingHttpClient.
	 */
	public TrustingHttpClient() {
		
		Scheme scheme = new Scheme("https", 443, sslSocketFactory);

		getConnectionManager().getSchemeRegistry().register(scheme);
	}
}