I am currently working on a client/server TLS tool that requires us to connect through firewalls. For reasons that are outside our control, we are only granted an outgoing TCP connection.
The problem is that our client's firewall blocks the client Hello v2 message (and possibly the whole SSL handshake).
Is there a way to obfuscate the stream in some manner? I was thinking about trying to use compression to make the stream unreadable to the firewall. (Maybe using JDK7's GzipOutputStream which now allows for syncFlush flushing)
I am no SSL expert but it seems to me it should be possible to translate the whole stream which should make it impossible for the firewall to pick up the connection and block it.
As far as I can see, there are a few (two?) ways to go about this :
The first option didn't work out for me as I am unable to find the source code of com.sun.net.ssl.internal.ssl.SSLServerSocketFactoryImpl, which is the default implementation. I did browse the openJDK source code for it, but even there, the sources appear to be missing.
Implementing a SSLServerSocketFactory is beyond my capabilities. As I said I am no SSL expert.
Please note that the application does work fine through other, less agressive firewalls / firewall rules.
Compressing an encrypted stream is not useful, where you actually only want some masking to avoid your firewall.
On the client side, you can use the SSLSocketFactory's method createSocket(socket, host, port, autoclose) to create a SSL socket based on another socket - and this another socket can get your special SocketImpl implementation, doing a simple XOR-masking on the first some bytes.
On the server side, it is more complicated, since the SSLServerSocketFactory has no such method.
In a answer to Java RMI + SSL + Compression = IMPOSSIBLE!, I described how to build a delegating Socket factory. There it was done for a Rmi(Client|Server)SocketFactory, but it would work in an analogous way for a ServerSocketFactory or SocketFactory.
But of course it could be that your firewall is not actually blocking SSL traffic, but blocking anything that is not whitelisted (like HTTP). Before building your wrapping socket implementation, try if a simple socket+serversocket which sends some random data and receives them back even works.