SSL Socket Connection working even though client is not sending certificate?

Question

I am very new to Cryptography using Java. I have to build a program that exchanges certificate before any data communication takes place. I am using sslSockets to build basic client-server program and I am not using HTTP/S, this is just to get extra security. (Would like to know difference between Socket and SSLSocket.. does it mean everything is automatically encrypted?)

Here's my UPDATED Server Code:

public class SSLServerExample {
    final static String pathToStores = "C:/Users/XXX/Desktop/sslserverclientprogram";
    final static String keyStoreFile = "keystore.jks";
    final static String passwd = "changeit";

    final static int theServerPort = 8443;

    static boolean debug = false;



  public static void main(String args[]) throws Exception {

      String trustFilename = pathToStores + "/" + keyStoreFile;
//    System.out.println("Verifying KeyStore File of Client..");

    System.setProperty("javax.net.ssl.keyStore", trustFilename);
    System.setProperty("javax.net.ssl.keyStorePassword", passwd);
    if (debug)
        System.setProperty("javax.net.debug", "all");
        System.out.println("Setting up SSL parameters");

     // Initialize socket connection
       SSLServerSocketFactory sslssf = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
    SSLServerSocket sslServerSocket = (SSLServerSocket)sslssf.createServerSocket(theServerPort);
    System.out.println("Server Started..Waiting for clients");
    sslServerSocket.setNeedClientAuth(true);
    SSLSocket sslSocket = (SSLSocket)sslServerSocket.accept();
    //sslSocket.startHandshake();
    System.out.println("Client Connected!");

    InputStream sslIS = sslSocket.getInputStream();

        OutputStream sslOS = sslSocket.getOutputStream();
        sslServerSocket.setNeedClientAuth(true);

    final int RSAKeySize = 1024;
    final String newline = "\n";

    Key pubKey = null;
    Key privKey = null; 
    boolean flag = sslSocket.getNeedClientAuth();
    System.out.println("Flag value: "+ flag);

The flag results in False, even though I set it as true and client sends data which is decrypted by the server without authenticating each other.

Am I missing something?

Please help.

PS: My Client code:

public class SSLClientExample {
    final static String pathToStores = "C:/Users/XXX/Desktop/sslserverclientprogram";
    final static String trustStoreFile = "cacerts.jks";
    final static String passwd = "changeit";
    final static String INPUT_FILE = "E:/workspace/input.txt";
    final static String theServerName = "localhost";
    final static int theServerPort = 8443;

    static boolean debug = false;

  public static void main(String args[]) throws Exception {

      String trustFilename = pathToStores + "/" + trustStoreFile;
      System.out.println("Validating KeyStore file of Server..");

    System.setProperty("javax.net.ssl.trustStore", trustFilename);
    System.setProperty("javax.net.ssl.trustStorePassword", passwd);
    if (debug)
        System.setProperty("javax.net.debug", "all");


    SSLSocketFactory sslssf = (SSLSocketFactory) SSLSocketFactory.getDefault();
    SSLSocket sslSocket = (SSLSocket)sslssf.createSocket(theServerName, 8443);
    System.out.println("Connected to Server!");

Answer 1

You have to invoke sslServerSocket.setNeedClientAuth(true); before accepting incoming client connections. You are modifying the server socket's configuration after the connection has already been established.