pi = ProxyInfo.forNoProxy();
break;
}
String serviceName = desc.getServiceName();
final ConnectionConfiguration cfg;
if (serviceName == null) {
cfg = new ConnectionConfiguration(
this.hostnameOverride, this.port, pi);
} else if (this.hostnameOverride == null) {
// uses DNS lookup, to get the actual hostname for this service:
cfg = new ConnectionConfiguration(serviceName, pi);
} else {
cfg = new ConnectionConfiguration(
this.hostnameOverride, this.port,
serviceName, pi);
}
// Currently, we handle reconnects ourself.
// Maybe we should change it in the future, but currently I'm
// not sure what Smack's reconnect feature really does.
cfg.setReconnectionAllowed(false);
cfg.setDebuggerEnabled(true);
if (acceptAllCerts) {
// TODO Smack 4.1 provides TLSUtil.acceptAllCertificates, replace
// the code here with the code provided by Smack
SSLContext context = SSLContext.getInstance("TLS");
// Install an "accept all" trust manager
X509TrustManager tm = new X509TrustManager() {
@Override
public void checkClientTrusted(X509Certificate[] arg0,
String arg1) throws CertificateException {
// Nothing to do here
}
@Override
public void checkServerTrusted(X509Certificate[] arg0,
String arg1) throws CertificateException {
// Nothing to do here
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
}
};
context.init(null, new TrustManager[] { tm }, new SecureRandom());
cfg.setCustomSSLContext(context);
cfg.setHostnameVerifier(new HostnameVerifier() {
@Override
public boolean verify(String arg0, SSLSession arg1) {
return true;
}
});
} else {
// TODO This hostname verifier is the default in Smack 4.1 when
// smack-java7 is used, remove the code once Smack 4.1 is used
cfg.setHostnameVerifier(new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
HostnameChecker checker = HostnameChecker
.getInstance(HostnameChecker.TYPE_TLS);
boolean validCertificate = false, validPrincipal = false;
try {
Certificate[] peerCertificates = session
.getPeerCertificates();
if (peerCertificates.length > 0
&& peerCertificates[0] instanceof X509Certificate) {
X509Certificate peerCertificate = (X509Certificate) peerCertificates[0];
try {
checker.match(hostname, peerCertificate);
// Certificate matches hostname
validCertificate = true;
} catch (CertificateException ex) {
// Certificate does not match hostname
}
} else {
// Peer does not have any certificates or they
// aren't X.509
}
} catch (SSLPeerUnverifiedException ex) {
// Not using certificates for peers, try verifying the
// principal
try {
Principal peerPrincipal = session
.getPeerPrincipal();
if (peerPrincipal instanceof KerberosPrincipal) {
validPrincipal = HostnameChecker.match(
hostname,
(KerberosPrincipal) peerPrincipal);
} else {
// Can't verify principal, not Kerberos
}
} catch (SSLPeerUnverifiedException ex2) {
// Can't verify principal, no principal
}
}
return validCertificate || validPrincipal;
}
});
}
LOGGER.info("Trying to connect to XMPP on "
+ "/" + cfg.getServiceName()
+ (cfg.isCompressionEnabled() ? " using compression" : "")
+ (pi.getProxyType() != ProxyInfo.ProxyType.NONE ? " via proxy " + pi.getProxyType() + " "
+ pi.getProxyAddress() + ":" + pi.getProxyPort() : "")
);
boolean retryWithLegacySSL = false;