Skip to content

Commit

Permalink
Read IPs from SSLEngine session
Browse files Browse the repository at this point in the history
When SSLEngine is used IPs cannot be retrieved from the socket or stream
proxies so they are stored into the SSLEngine session.

This is an extension to the standard because the SSLEngine should be
unaware of the underlying communication but it is needed for the audit.
  • Loading branch information
fmarco76 committed Aug 30, 2023
1 parent 4b38d5a commit de6ec25
Showing 1 changed file with 35 additions and 11 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ public void alertReceived(SSLAlertEvent event) {

try {
SSLSocket socket = event.getSocket();
JSSEngine engine = event.getEngine();
JSSEngine sslEngine = event.getEngine();

InetAddress clientAddress = null;
InetAddress serverAddress = null;
Expand All @@ -107,8 +107,8 @@ public void alertReceived(SSLAlertEvent event) {
Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN();
subjectID = subjectDN == null ? "" : subjectDN.toString();
} else {
if(engine != null) {
JSSSession session = engine.getSession();
if(sslEngine != null) {
JSSSession session = sslEngine.getSession();
if(session != null) {
Certificate[] certs = session.getPeerCertificates();
if(certs != null) {
Expand All @@ -117,6 +117,12 @@ public void alertReceived(SSLAlertEvent event) {
subjectID = cert.getSubjectDN().toString();
}
}
if(session.getRemoteAddr() != null) {
clientIP = session.getRemoteAddr();
}
if(session.getLocalAddr() != null) {
serverIP = session.getLocalAddr();
}
}
}
}
Expand Down Expand Up @@ -151,7 +157,7 @@ public void alertSent(SSLAlertEvent event) {

try {
SSLSocket socket = event.getSocket();
JSSEngine engine = event.getEngine();
JSSEngine sslEngine = event.getEngine();

int description = event.getDescription();
String reason = "serverAlertSent: " + SSLAlertDescription.valueOf(description).toString();
Expand All @@ -173,14 +179,20 @@ public void alertSent(SSLAlertEvent event) {
serverIP = (String)info.get("serverIP");
subjectID = (String)info.get("subjectID");
} else {
if(engine != null) {
JSSSession session = engine.getSession();
if(sslEngine != null) {
JSSSession session = sslEngine.getSession();
if(session != null) {
Certificate[] certs = session.getPeerCertificates();
if(certs != null) {
X509Certificate cert = (X509Certificate) certs[0];
subjectID = cert.getSubjectDN().toString();
}
if(session.getRemoteAddr() != null) {
clientIP = session.getRemoteAddr();
}
if(session.getLocalAddr() != null) {
serverIP = session.getLocalAddr();
}
}
}
}
Expand All @@ -205,8 +217,8 @@ public void alertSent(SSLAlertEvent event) {
subjectID = subjectDN == null ? "" : subjectDN.toString();

} else {
if(engine != null) {
JSSSession session = engine.getSession();
if(sslEngine != null) {
JSSSession session = sslEngine.getSession();
if(session != null) {
Certificate[] certs = session.getPeerCertificates();
if(certs != null) {
Expand All @@ -215,6 +227,12 @@ public void alertSent(SSLAlertEvent event) {
subjectID = cert.getSubjectDN().toString();
}
}
if(session.getRemoteAddr() != null) {
clientIP = session.getRemoteAddr();
}
if(session.getLocalAddr() != null) {
serverIP = session.getLocalAddr();
}
}
}
}
Expand Down Expand Up @@ -250,7 +268,7 @@ public void handshakeCompleted(SSLHandshakeCompletedEvent event) {

try {
SSLSocket socket = event.getSocket();
JSSEngine engine = event.getEngine();
JSSEngine sslEngine = event.getEngine();

InetAddress clientAddress = null;
InetAddress serverAddress = null;
Expand Down Expand Up @@ -278,8 +296,8 @@ public void handshakeCompleted(SSLHandshakeCompletedEvent event) {
info.put("subjectID", subjectID);
socketInfos.put(socket, info);
} else {
if(engine != null) {
JSSSession session = engine.getSession();
if(sslEngine != null) {
JSSSession session = sslEngine.getSession();
if(session != null) {
Certificate[] certs = session.getPeerCertificates();
if(certs != null) {
Expand All @@ -289,6 +307,12 @@ public void handshakeCompleted(SSLHandshakeCompletedEvent event) {
}
}
}
if(session.getRemoteAddr() != null) {
clientIP = session.getRemoteAddr();
}
if(session.getLocalAddr() != null) {
serverIP = session.getLocalAddr();
}
}
}
logger.debug("PKIServerSocketListener: Handshake completed:");
Expand Down

0 comments on commit de6ec25

Please sign in to comment.