Hi! I made a new subclass of XMPPConnection that uses SSL/TLS but allows you to pass in a X509Certificate[] for verification. I wrote it to do some server cert checking, if the cert is not signed by one of the CA certs known to Java.
As a bonus, it lets you specify the hostname (or IP) for the socket connection separately from the XMPP-level hostname.
It requires XMPPConnection’'s constructor to be public, though - unless you fold this into the class.
Get it at:
Can you give an example of how this could be used to make a secure connection to jabber.org (their certificate is not trusted, and gives smack problems when trying to connect) ?
Thanks,
Adam
I thought Smack’‘s SSLXMPPConnection ignores any certificates? Sorry, I haven’'t tested against jabber.org (or any public server).
If you do want check, you can grab jabber.org’‘s certificate using a “trusting” SSL connection, then save it. I’'ll try to post code tomorrow if you still need it.
Yeah, I’‘ve saved the certificate… but I’‘m not sure what to do with it. I used keytool -import, but that didn’'t seem to accomplish anything.
I think this will work…
You can load the KeyStore from the keystore file, and get the Certificate from that. If you saved it as “jabber.org”, then:
keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(inputStream, keyStorePassword);
certificate = keyStore.getCertificate(“jabber.org”);
Then, pass in the Certificate in the Certificate[] that my SecureTrustManager constructor takes in:
X509Certificate[] certs = new X509Certificate[] { (X509Certificate) certificate };
SecureTrustManager secureTrustManager = new SecureTrustManager(certs);
XMPPConnection connection = new SecureXMPPConnection(“jabber.org”, “jabber.org”, 5223, secureTrustManager);
I haven’‘t tested it yet. But I’'m sure people want to have a method to add a certificate to the SecureTrustManager. At least I like such methods. addSertificate(X509Certificate cert)
Regards,
Mark Monster
Definitely. I wrote the code for a “private” XMPP network where my employer will be the root CA.
Miguel,
This is a cool feature, and it seems like it should be incorporated into the default SSL connection class as a standard feature. We’‘ll probably want to allow additional options like just accepting the standard root CA’‘s only (the root CA’‘s installed into the VM), etc. I’'ve scheduled work on this for the Smack 1.3 release as:
url http://www.jivesoftware.com/issues/secure/ViewIssue.jspa?key=SMACK-89
SMACK-89[/url]
We’'d definitely love your help as work begins (the current code you posted will be used as a basis).
Regards,
Matt
Here’‘s probably the clearest explanation I’'ve seen on implementing custom SSL connections:
http://www-106.ibm.com/developerworks/java/library/j-customssl/
could you please attach whole source code?
Do you really hope to get response 15 years later?
i am really optimisic at this time all doors are closed for me so reading each and every thread if some one can give me a hint how to proceed i am absolutly clue less.