SSL : Java Glossary

The magic of SSL is that there need be no a priori secret password or private key shared between the two, though there optionally could be a login process. The two ends can set up a secure channel between themselves, even if they have never met before, even if there is someone snooping on the whole process! SSL uses ponderous public/private key techniques to exchange high speed symmetric keys for encrypting the bulk of the traffic.

The nice feature about SSL is that it can use different lengths of key for different purposes. This allows it to get around the foolish US laws that restrict long keys for privacy but allow them for identification and data integrity checking. SSL will still work even if the client does not have a certificate. SSL encryption software for export is limited by a U.S. law to 512-bit public keys and 40-bit private keys, even though the knowledge to build such software is freely available globally.

If you create an Applet and run it from within Netscape, you can successfully open a url connection with "https://www.charlie.com/…". Netscape takes care all the SSL stuff for you. If you create an application client that runs outside of a browser, you will have to perform all the SSL yourself.

There is SSLithium, which is licensed for non-commercial use only; iSaSiLk which is commercially available, and was the basis for the international offering from Entrust; and JForge (which uses the www.aba.net.au JCE (Java Cryptography Extension)). In the US, and available on ftp.replay.com are a TLS (Transport Layer Security) (SSL3.1) implementation called pureTLS, and the early access Sun JSSE (Java Secure Socket Extension). Phaos makes SSLava.

With Java 1.4.1+ SSL is built-in via JSSE. See the javax.net.ssl class.

The common name in the SQL (Standard Query Language) certificate must be a fully-qualified domain name, or Java won’t recognise the match. If you have a website with many domains, you need a wildcard certificate to cover the related domains, or a separate certificate for each domain.

The software to handle SSL in Java is called JSSE, JSSE and is not considered part of JCE.

SSL chews up huge amounts of the server’s CPU (Central Processing Unit) time. One solution is an SSL hardware box that acts as a proxy server.

To connect as a client in HTTPS (Hypertext Transfer Protocol over SSL (Secure Socket Layer)), you connect just like a regular HTTP (Hypertext Transfer Protocol) connection. However, you have to give the SSL library access to your collection of certificate authority certificates so your client can validate server certificates:

IETF (Internet Engineering Task Force) manages SSL, and has renamed it TLS TLS. People still usually refer to it as SSL. Properly TLS refers to the newer versions of the protocol and SSL to the older.

Other than the initial DNS (Domain Name Service) lookup, everything with https: is encrypted, including the URL (Uniform Resource Locator) you are requesting. That is why Wireshark cannot snoop.