Unsigned applet and SSL

P

Pratul Chatterjee

I am trying to add SSL support to an existing unsigned applet. The applet
only opens a connection back to the originating web server and works fine.
Some of our clients prefer unsigned rather than signed applets for their
restricted privileges as part of their corporate security policies. So
signing the applet is not an immediate option.

I have added a new class in the applet. Just copying a few lines from this
class for discussion:

Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
SSLSocketFactory sslFact = (SSLSocketFactory) SSLSocketFactory.getDefault();
mySSLSocket = (SSLSocket) sslFact.createSocket(myIPAddress, mySSLPort);
mySSLSocket.setEnabledCipherSuites(mySSLSocket.getSupportedCipherSuites());
mySSLSocket.setSoTimeout(mySocketTimeout);
myInputStream = mySSLSocket.getInputStream();

I have done some experiments on a Windows Server 2003 machine with IIS 6 and
SelfSSL. Switching on SSL on this server was straightforward.

On my client machine (i.e. Windows XP SP1, Internet Explorer
6.0.2800.xpsp2.030422-1633 and Sun JVM 1.4.1_01), I had to do the following
for the new applet to work:

1) Save the server's certificate and add it to the Java certificate
keystore.
2) Add the following line to java.policy:
permission java.security.SecurityPermission "insertProvider.SunJSSE";

Unlike my SelfSSL certificate, our production servers will carry proper
certificates, which could be verified by VeriSign/Thawte. Please let me
know if a proper certificate is enough to avoid step 1.

I also want to avoid step 2 by changing my code if possible. Please advise
me if you have any previous experience in this area.

Many thanks

Pratul Chatterjee
 
R

Rogan Dawes

Pratul said:
I am trying to add SSL support to an existing unsigned applet. The applet
only opens a connection back to the originating web server and works fine.
Some of our clients prefer unsigned rather than signed applets for their
restricted privileges as part of their corporate security policies. So
signing the applet is not an immediate option.

I have added a new class in the applet. Just copying a few lines from this
class for discussion:

Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
SSLSocketFactory sslFact = (SSLSocketFactory) SSLSocketFactory.getDefault();
mySSLSocket = (SSLSocket) sslFact.createSocket(myIPAddress, mySSLPort);
mySSLSocket.setEnabledCipherSuites(mySSLSocket.getSupportedCipherSuites());
mySSLSocket.setSoTimeout(mySocketTimeout);
myInputStream = mySSLSocket.getInputStream();

I have done some experiments on a Windows Server 2003 machine with IIS 6 and
SelfSSL. Switching on SSL on this server was straightforward.

On my client machine (i.e. Windows XP SP1, Internet Explorer
6.0.2800.xpsp2.030422-1633 and Sun JVM 1.4.1_01), I had to do the following
for the new applet to work:

1) Save the server's certificate and add it to the Java certificate
keystore.
2) Add the following line to java.policy:
permission java.security.SecurityPermission "insertProvider.SunJSSE";

Unlike my SelfSSL certificate, our production servers will carry proper
certificates, which could be verified by VeriSign/Thawte. Please let me
know if a proper certificate is enough to avoid step 1.
Click to expand...

It should be. Make sure that you choose a CA that has their certificates
in most of the popular browsers.
I also want to avoid step 2 by changing my code if possible. Please advise
me if you have any previous experience in this area.
Click to expand...

Check if you have to add the

Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());

line. I haven't needed this line in the applications that I have written
(not applets, though) What version of Java are you using/targetting?
Many thanks

Pratul Chatterjee
Click to expand...

Regards,

Rogan
 
R

Roedy Green

Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider())
Click to expand...

using sun.* classes is considered naughty. You will get a security
violation unless the policy file allows it.

Can you get the class without the sun name?

Try http://mindprod.com/jgloss/bouncycastle.html

In a pinch try decompiling the code and recompiling with a different
package name, probably illegal.
 
P

Pratul Chatterjee

Rogan and Roedy

Many thanks for your replies. I have removed the Security.addProvider
line and now it works without throwing any security exception.

Roedy

The URL link you supplied is broken. I found a number of pages in
your Mindprod website referring to bouncycastle. It would be great if
you could resend the correct link.

Pratul
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

JSSE and Tomcat 4.1 / Sun JDK 1.4.2 - No trusted certificate found 0
Two Way SSL with Sun JSSE [urgent] 7
SSLSocket between application and signet applet don't work 0
javax.net.ssl Sockets and OKing self-signed certificates 8
Java/OO techniques for modularity and re-use 6
Download the JAVA , .NET and SQL Server interview PDF 0

Members online

Total: 41 (members: 2, guests: 39)
Robots: 111

Forum statistics

Threads
473,772
Messages
2,569,593
Members
45,111
Latest member
VetaMcRae

Latest Threads

Top