Hot questions for Using Transmission Control Protocol in ssl

Question:

Edit: Removed startHandshake(); as it's irrelevant to the question and rarely needed (for example, not in my case)

I have a rather specific and rare client-server protocol (over TCP). I've implemented it using SSLSocket. Now, I foresee that I might need to use the same protocol over an un-encrypted connection.

My problem is that the class implementing the protocol has a field: public SSLSocket currentSocket; (and then the methods in my client class do all sorts of .read(), .write(), flush()...)

I thought about changing the field type, like so: public Socket currentSocket; However, then, the problem is that my connection procedure is incompatible:

public static void connect () {
currentSocket = SslUtils.getSSLsocket(host, port, keystoreFile, keystorePass, pkPass);
...
  • java.net.Socket 's default constructor obviously doesn't accept keystore stuff

I don't want to re-implement my whole client just for this difference...

  • One thought I have is, when I need a plaintext Socket, to create an SSLSocket with no encryption. I don't know if that's a professional way of doing it or if it will even work (the server will expect a plaintext client socket in the new use case)

  • My other idea is to define two fields, one for plaintext socket, one for SSL socket and then use logic to link the in/out streams to the correct field, as needed. However, that will result in a "hanging" field. If you use SSL, there will be a redundant field Socket plaintextSocket and vice-versa...

Is there a way to make my currentSocket field more abstract, so that I can define it in the same client, then instruct a slightly different client code path depending on a known variable (something like needSSLsocket=true) for the instantiation and connection?


Answer:

SSLSocket extends Socket, so you can assign an SSLSocket object to a Socket variable. You are right to change your currentSocket field to a Socket. Simply use another variable to handle the SSLSocket when needed, eg:

public static void connect () {
    if (needSSLsocket) {
        SSLSocket ssl = SslUtils.getSSLsocket(host, port, keystoreFile, keystorePass, pkPass);
        ssl.startHandshake();
        ...
        currentSocket = ssl;

        /* or:
        currentSocket = SslUtils.getSSLsocket(host, port, keystoreFile, keystorePass, pkPass);
        ((SSLSocket) currentSocket).startHandshake();
        ...
        */
    } else {
        currentSocket = new Socket(host, port);
    }
    ...
}

Question:

I'm currently working on a Java server platform for a school project. I'm using SSL TCP Sockets to do the communication and I'm in the stage of developing the JSon protocol between client and server.

My question is whether the messages in the protocol should contain a unique id or if using if the SSL TCP Sockets will be enough to avoid repetition attacks.


Answer:

No. SSL is immune to replay attacks