Help with SSLSocket and friends

[Martin Gregorie]

Can anybody point me to a tutorial or example showing how to create a
concrete SSL Socket class and the correct sequence to follow to start
and end a connection?

I've found a fairly brief tutorial on the JavaWorld website, written in
2001, but that was all a web search turned up. Is there anything better
or more recent?

TIA

 

[Arne Vajhøj]

Can anybody point me to a tutorial or example showing how to create a
concrete SSL Socket class and the correct sequence to follow to start
and end a connection?

I've found a fairly brief tutorial on the JavaWorld website, written in
2001, but that was all a web search turned up. Is there anything better
or more recent?

Client:

SSLContext sslctx = SSLContext.getInstance("SSL");
sslctx.init(null, new X509TrustManager[] { new MyTrustManager() }, null);
Socket tmp = new Socket("localhost", port);
SSLSocketFactory sf = sslctx.getSocketFactory();
SSLSocket s = (SSLSocket)sf.createSocket(tmp, host, port, true);

and

class MyTrustManager implements X509TrustManager
{
public void checkClientTrusted(X509Certificate[] chain, String
authType) {
}
public void checkServerTrusted(X509Certificate[] chain, String
authType) {
}
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
}
}

Server:

SSLServerSocketFactory ssf =
(SSLServerSocketFactory)SSLServerSocketFactory.getDefault();
SSLServerSocket ss = (SSLServerSocket)ssf.createServerSocket(port5);
SSLSocket s = (SSLSocket)ss.accept();

and

java -Djavax.net.ssl.keyStore=server.jks
-Djavax.net.ssl.keyStorePassword=xxxx YourClass

works.

Arne

 

[Daniele Futtorovic]

Can anybody point me to a tutorial or example showing how to create a
concrete SSL Socket class and the correct sequence to follow to
start and end a connection?

I've found a fairly brief tutorial on the JavaWorld website, written
in 2001, but that was all a web search turned up. Is there anything
better or more recent?

TIA

Dunno about that, but what kind of help do you need with friends? Come
on, you can tell me. Hm? Hm?

 

[Knute Johnson]

Can anybody point me to a tutorial or example showing how to create a
concrete SSL Socket class and the correct sequence to follow to start
and end a connection?

I've found a fairly brief tutorial on the JavaWorld website, written in
2001, but that was all a web search turned up. Is there anything better
or more recent?

TIA

This is a really good document;

http://www.panix.com/~mito/articles/articles/jsse/j-jsse-ltr.pdf

 

[Martin Gregorie]

Thanks to all of you. Arne's example code and Knute's reference will
take me where I need to go.

My current subproject is to build a security module and associated
server to handle an application's initial login and to prompt for
re-authorization if it's been idle for a configurable period. The
password will be stored in encrypted form. But, as Lasse pointed out
elsewhere, some form of connection encryption would be a good idea too
even though I anticipate that the connection will be across a private
network.

My immediate thought is to use SSL because its "already there", but as
it requires certificate management I'm wondering if that's overkill
because each session will usually handle only a single small message
pair before it disconnects. OTOH, SSL does offer the possibility of
making a fairly bullet-proof OS-agnostic application authentication
system that's reusable. Plus, it will make initial development easy
because I can get the client/server combo running on plain sockets and
then convert these to SSL without disrupting the logic in client or server.

The alternative could range upward in complexity from sticking with
plain sockets and using the equivalent of the old M$ configuration
obscuring with "XOR with 0x40" to obfuscate the messages.

The information I now have will, hopefully, be enough to decide which
way to jump. Thanks guys.

 

[EJP]

class MyTrustManager implements X509TrustManager

Note that this thing is insecure as it omits the vital authentication
step. Basically you are holding a secret conversation in a darkened room
with someone you cannot identify. It is not secure. See RFC2246.

If you want to bypass authentication it is simpler and more explicit to
enable a non-authenticating cipher suite at both ends.

There are SSLSocket samples in the Javadoc/Guide to
Features/Security/JSSE Reference Guide.