使用HttpsURLConnection时如何覆盖Android发送到服务器的密码列表? [英] How to override the cipherlist sent to the server by Android when using HttpsURLConnection?

问题描述

在 TLS 协商期间，客户端向服务器发送支持的密码列表，服务器选择一个，然后开始加密.当我使用 HttpsURLConnection 进行通信时，我想更改这个由 Android 发送到服务器的密码列表.

During TLS negotiation, clients send a list of supported ciphers to the server, the server picks one, and encryption starts. I want to change this cipherlist sent to the server by Android, when I'm using HttpsURLConnection for communication.

我知道我可以在 HttpsURLConnection 对象上使用 setSSLSocketFactory 将其设置为使用 SSLSocketFactory.当我想更改 SSLSocketFactory 返回的 SSLSocket 使用的 trustmanager 等时，这很有用.

I know that I can use setSSLSocketFactory on the HttpsURLConnection object to set it up to use a SSLSocketFactory. This is useful when I want to change the trustmanager etc used by the SSLSocket returned by the SSLSocketFactory.

我知道通常可以使用 SSLParameters 对象编辑此密码套件列表，并使用方法将其传递给 SSlsocket 或 SSLEngine 对象他们提供.

I know that in general this ciphersuite list can be edited using an SSLParameters object and passing it to SSlsocket or SSLEngine objects using the methods they provide.

但是 SSLSocketFactory 似乎没有公开这样的方法！

BUT the SSLSocketFactory does not seem to expose such methods!

我找不到一种方法来更改由我传递给 HttpsURLConnectionSSLSocketFactory 创建的返回的 SSLSocket 对象的 SSLParameters/代码>.

I cannot find a way to change the SSLParameters of the returned SSLSocket objects created by the SSLSocketFactory I pass to HttpsURLConnection.

怎么办?

我想这也与 Java 相关，而不仅仅是 Android.也许有一种面向对象的方式来做到这一点(例如，扩展 SSLSocketFactory 并将其提供给 HttpsURLConnection?)

I guess this is also relevant to Java in general, not only Android. Maybe there's an OO way to do it (e.g. extend SSLSocketFactory and provide that to HttpsURLConnection?)

推荐答案

这段代码有点原始.请谨慎使用.

This piece of code is a bit raw. please use with care.

public class PreferredCipherSuiteSSLSocketFactory extends SSLSocketFactory {


private static final String PREFERRED_CIPHER_SUITE = "TLS_RSA_WITH_AES_128_CBC_SHA";

private final SSLSocketFactory delegate;

public PreferredCipherSuiteSSLSocketFactory(SSLSocketFactory delegate) {

    this.delegate = delegate;
}

@Override
public String[] getDefaultCipherSuites() {

    return setupPreferredDefaultCipherSuites(this.delegate);
}

@Override
public String[] getSupportedCipherSuites() {

    return setupPreferredSupportedCipherSuites(this.delegate);
}

@Override
public Socket createSocket(String arg0, int arg1) throws IOException,
        UnknownHostException {

    Socket socket = this.delegate.createSocket(arg0, arg1);
    String[] cipherSuites = setupPreferredDefaultCipherSuites(delegate);
    ((SSLSocket)socket).setEnabledCipherSuites(cipherSuites);

    return socket;
}

@Override
public Socket createSocket(InetAddress arg0, int arg1) throws IOException {

    Socket socket = this.delegate.createSocket(arg0, arg1);
    String[] cipherSuites = setupPreferredDefaultCipherSuites(delegate);
    ((SSLSocket)socket).setEnabledCipherSuites(cipherSuites);

    return socket;
}

@Override
public Socket createSocket(Socket arg0, String arg1, int arg2, boolean arg3)
        throws IOException {

    Socket socket = this.delegate.createSocket(arg0, arg1, arg2, arg3);
    String[] cipherSuites = setupPreferredDefaultCipherSuites(delegate);
    ((SSLSocket)socket).setEnabledCipherSuites(cipherSuites);

    return socket;
}

@Override
public Socket createSocket(String arg0, int arg1, InetAddress arg2, int arg3)
        throws IOException, UnknownHostException {

    Socket socket = this.delegate.createSocket(arg0, arg1, arg2, arg3);
    String[] cipherSuites = setupPreferredDefaultCipherSuites(delegate);
    ((SSLSocket)socket).setEnabledCipherSuites(cipherSuites);

    return socket;
}

@Override
public Socket createSocket(InetAddress arg0, int arg1, InetAddress arg2,
        int arg3) throws IOException {

    Socket socket = this.delegate.createSocket(arg0, arg1, arg2, arg3);
    String[] cipherSuites = setupPreferredDefaultCipherSuites(delegate);
    ((SSLSocket)socket).setEnabledCipherSuites(cipherSuites);

    return socket;
}

private static String[] setupPreferredDefaultCipherSuites(SSLSocketFactory sslSocketFactory) {

    String[] defaultCipherSuites = sslSocketFactory.getDefaultCipherSuites();

    ArrayList<String> suitesList = new ArrayList<String>(Arrays.asList(defaultCipherSuites));
    suitesList.remove(PREFERRED_CIPHER_SUITE);
    suitesList.add(0, PREFERRED_CIPHER_SUITE);

    return suitesList.toArray(new String[suitesList.size()]);
}

private static String[] setupPreferredSupportedCipherSuites(SSLSocketFactory sslSocketFactory) {

    String[] supportedCipherSuites = sslSocketFactory.getSupportedCipherSuites();

    ArrayList<String> suitesList = new ArrayList<String>(Arrays.asList(supportedCipherSuites));
    suitesList.remove(PREFERRED_CIPHER_SUITE);
    suitesList.add(0, PREFERRED_CIPHER_SUITE);

    return suitesList.toArray(new String[suitesList.size()]);
}
}

当你想使用它时.

            HttpsURLConnection connection = (HttpsURLConnection) (new URL(url))
                .openConnection();
        SSLContext context = SSLContext.getInstance("TLS");
        TrustManager tm[] = {new SSLPinningTrustManager()};
        context.init(null, tm, null);
        SSLSocketFactory preferredCipherSuiteSSLSocketFactory = new PreferredCipherSuiteSSLSocketFactory(context.getSocketFactory());
        connection.setSSLSocketFactory(preferredCipherSuiteSSLSocketFactory);
                    connection.connect();

谢谢.

这篇关于使用HttpsURLConnection时如何覆盖Android发送到服务器的密码列表?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！