SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 95

changes.mady.by.user Pranjal Jumde

Saved on

compared with

New Version 96

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This compliant solution uses SSLSocket to protect packets using the SSL/TLS security protocols.

Code Block
bgColor#CCCCFF

// Exception handling has been omitted for the sake of brevity
class EchoServer {
  public static void main(String[] args) throws IOException {
    SSLServerSocket sslServerSocket = null;
    try {
      SSLServerSocketFactory sslServerSocketFactory =
          (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
      sslServerSocket = (SSLServerSocket) sslServerSocketFactory.
                        createServerSocket(9999);
      SSLSocket sslSocket = (SSLSocket) sslServerSocket.accept();
      PrintWriter out = new PrintWriter(sslSocket.getOutputStream(),true);
      BufferedReader in = new BufferedReader(
          new InputStreamReader(sslSocket.getInputStream()));
      String inputLine;
      while ((inputLine = in.readLine()) != null) { 
        System.out.println(inputLine); 
        out.println(inputLine); 
      } 
    } finally {
      if (sslServerSocket != null) {
        try {
          sslServerSocket.close();
        } catch (IOException x) {
          // handle error
        }
      }
    }
  }
}

class EchoClient {
  public static void main(String[] args) throws IOException {
    SSLSocket sslSocket = null;
    try {
      SSLSocketFactory sslSocketFactory =
          (SSLSocketFactory) SSLSocketFactory.getDefault();
      sslSocket = 
          (SSLSocket) sslSocketFactory.createSocket("localhost", 9999);
      PrintWriter out = new PrintWriter(sslSocket.getOutputStream(), true);
      BufferedReader in = new BufferedReader(
          new InputStreamReader(sslSocket.getInputStream()));
      BufferedReader stdIn = new BufferedReader(
          new InputStreamReader(System.in));
      String userInput;
      while ((userInput = stdIn.readLine()) != null) {
        out.println(userInput);
        System.out.println(in.readLine());
      }
    } finally {
      if (sslSocket != null) {
        try {
          sslSocket.close();
        } catch (IOException x) {
          // handle error
        }
      }
    }
  }
}

Programs that use SSLSocket will block indefinitely if they attempt to connect to a port that is not using SSL. Similarly, a program that does not use SSLSocket will block when attempting to establish a connection through a port that does use SSL.

Note that SSLSocket does not validate host names, so providing an arbitrary host name to an SSLSocket is still vulnerable to a Man-in-the-middle attack. Host names should be validated separately. The HttpsURLConnection class validates host names and is a suitable solution for secure web sockets.

Exceptions

MSC00-EX0: Because of the mechanisms that SSLSocket provides to ensure the secure transfer of packets, significant performance overhead may result. Regular sockets are sufficient when

...

[API 2006]

 

[Gong 2003]

11.3.3, Securing RMI Communications

[Ware 2008]

 

 

Rule 49. : Miscellaneous (MSC)      Rule 49. : Miscellaneous (MSC)