SSL : Java Glossary

*0-9ABCDEFGHIJKLMNOPQRSTUVWXYZ (all)

SSL
Introduction What Certificate is a Site Using?
Levels Components
Subprotoctols RFCs
Disabling Older Protocols Key Sizes
Should You Flip to SSL? Java SSL Support
Advantages Anomalies
Disadvantages How SSL Works
Under The Hood Books
Vendors Learning More
Tips Links
Types of SSL certificate

Introduction

SSL (Secure Sockets Layer) is the protocol used communicate over an encrypted connection and to authenticate none, one or both of the participants. There are two versions SSL version 2 (SSL v2) and SSL version 3 ( SSL v3). SSL v3 is more flexible and safer than SSL v2. It works by the website sending its X.509 v3 certificate containing its public key to your browser. That allows session keys to be exchanged to encrypt the following traffic.

SSL has almost completely been replaced with TLS (Transport Layer Security), though nearly everyone improperly refers to TLS as SSL.

If a TLS 1.2 and TLS 1.0 socket get together, normally would start a new TLS 1.0 connection.

Levels

SSL is not used anymore. They foolishly renamed it to TLS to cause confusion. Nearly everyone still uses the old name.

The JSSE (Java Secure Socket Extension) implementation shipped with the JDK (Java Development Kit) still supports SSL 3.0 (the most primitive). Java uses TLS 1.2 by default. 1.2 is backward compatible with 1.0 and 1.1. 1.3 is still is a draft.

Subprotoctols

JSSE supports the following subprotocols: RSA (Rivest, Shamir and Adelman), RC4, DES (Data Encryption Standard), 3DES, AES (Advanced Encryption Standard), Diffie-Hellman, DSA (Digital Signature Algorithm).

Disabling Older Protocols

You might want to disable older protocols. You can do it with a system property like this:

You can do it in Java source by setting a system property like this:

Should You Flip to SSL?

Google has been successfully pushing nearly everyone to use SSL, whether they need it or not. Is that a good idea?

Advantages

Disadvantages

Under The Hood

The magic of SSL is that there need be no a-priori secret password or private key shared between the two, though there optionally could be a login process. The two ends can set up a secure channel between themselves, even if they have never met before, even if there is someone snooping on the whole process! SSL uses ponderous public/private key techniques to exchange high speed symmetric keys for encrypting the bulk of the traffic.

The nice feature about SSL is that it can use different lengths of key for different purposes. This allows it to get around the foolish US laws that restrict long keys for privacy but allow them for identification and data integrity checking. SSL will still work even if the client does not have a certificate. SSL encryption software for export is limited by a U.S. law to 512-bit public keys and 40-bit private keys, even though the knowledge to build such software is freely available globally. All such laws do is give foreign companies such a BouncyCastle access to markets the US government locks American corporations out of.

If you create an Applet and run it from within a browser, you can successfully open a url connection with https://www.charlie.com/�. The browser takes care all the SSL stuff for you. Java handles all the details of SSL for you in an Applet so that they are almost identical to ordinary HTTP (Hypertext Transfer Protocol) transactions.

SSL Software Vendors

Tips

Types of SSL certificate

The more research the certificate authority does to ensure the authenticity of the server, the more expensive the certificate. The user wants to be sure they are sending data to whom they think they are, not an imposter.

What Certificate is a Site Using?

You can find out what SSL certificate a site is using with Chrome, Firefox or Opera by clicking the icon to the left of the URL, (with IE and Safari click the lock icon to the right) to give you certificate details. You need a root certificate in the chain in your store for that certificate to work.

Components

The technical details of TLS/SSL are quite complicated, but here are the pieces: The server requires a certificate, a digitally signed id that attests that the server his in his possession secret/private key, 512 to 2048 bits long corresponding to a public key available for perusal. The user does not need a certificate. The server and user start the exchange with a cumbersome Diffie-Hellman protocol that does not require the two to share a secret password/key beforehand. Sometimes a faster X.509 certificate-based elliptical RSA scheme is used instead. Then they securely exchange 128 bit random numbers to use as keys for the bulk of the transmission, using a faster, simpler AES protocol.

RFCs (Request For Comments)

Key Sizes

Diffie-Hellman (the protocol used to start a session) can work with 512, 768, 1024, 1536, 2048, 3072, 4096, 6144 or 8192 bit keys. There is a magic prime number associated with each size of key that is used in the cryptography. There can be problems if a server, for example, is using 2048-bit keys, but the client only supports 1536-bit keys. How big the key size in Java can be depends on:

Oracle is dropping support for 512 and 768-bit keys since they are no longer secure.

Java SSL Support

Java leaves something to be desired in SSL support. Part of the problem can be missing root certificates in cacerts. That can be fixed by tracking down the root certificates and installing them.

Anomalies

There are a number of URLs (Uniform Resource Locators) that browsers handle without trouble that Java fails on. Here is a list of some of them. Oddly when you install the anniversary Windows 10 update, they will start working

https://www.ashampoo.com/en/cad/pin/7110/burning-software/burning-studio-free Could not generate DH Thawte Extended Validation SHA256 SSL CA, DH 2048 Requires SNI enabled.
https://cdburnerxp.se/en/home Could not generate DH keypair RapidSSL SHA256 CA - G3, ECDH 256 Works in Jet
https://handbrake.fr Could not generate DH StartCom Class 2 Primary Intermediate Server CA, DH 2048 ?? baffling, works in Chrome
https://www.htmlvalidator.com/download/registered.php?versionin=110 No subject alternative DNS name matching www.htmlvalidator.com found. COMODO RSA Domain Validation Server CA, DH 2048 Requires SNI enabled.
https://googlechromereleases.blogspot.ca No subject alternative DNS name matching googlechromereleases.blogspot.ca. Yet *.blogspot.ca is one of the alternative names for the cert. Google Internet Authority G2 Requires SNI enabled.
https://www.enigmail.net No subject alternative DNS name matching www.enigmail.net. Yet www.enigmail.net is one of the alternative names for the cert. GeoTrust DV (Digital Video) SSL CA - G3 Requires SNI enabled.
https://inkscape.org/en/ Could not generate DH keypair COMODO RSA Domain Validation Secure Server CA, DH 2048 Works in Jet
https://jpsoft.com fatal alert: internal_error from https://jpsoft.com COMODO ECC (Error Correcting Code) Domain Validation Secure Server CA 2 Requires SNI enabled.
https://outernet.is/lighthouse 403 forbidden response code COMODO ECC Domain Validation Secure Server CA 2 ?? baffling, works in Chrome
https://support.logitech.com/en_us/Product/wireless-mouse-m510#download Could not generate DH keypair DigiCert SHA2 Secure Server CA, RSA 256 Works in Jet
https://www.meinbergglobal.com/english/sw/ntp.htm Could not generate DH GeoTrust EV SSL CA - G4, DH 4096 Requires SNI enabled.
https://sliksvn.com/download/ Could not generate DH keypair RapidSSL SHA256 CA - G3, DH 2048 Works in Jet
https://tortoisesvn.net Received fatal alert: internal_error COMODO ECC Domain Validation Secure Server CA 2, ECDH 256 Requires SNI enabled.

To experiment with anomalies, just do a URLConnection. You don’t have to read any bytes, just connect. If you want some software to experiment with Java’s SSL try the TestConnection program below:

The most common problem is you failed to import some root certificate into all your cacerts files.

The next most common problem is you failed to match Java’s SNI support to what the site supports.

How SSL Works

SSL/TSL is a two-stage protocol. In the first stage, the two ends decide on a temporary common session key to use for just this session. In the second stage, the data are efficiently encrypted and sent with that symmetric key.

The second thing to understand is SS is a Chinese menu protocol with dozens of variants. To start, the two ends must negotiate which variants they will use. There is no guarantee they both support a common set of features.

  1. Client Hello

    The client sends server information about which SSL variants it supports.
  2. Server Hello

    The server sends client information about which SSL variants it supports. The server sends client its certificate public key. The server needs a certificate, but the client does not.
  3. Authentication and Pre-Master Secret

    The client authenticates the server certificate. It can do this without contacting the certificate company because it has the corresponding root certificates on file. The client prepares a random pre-master session key. The client encrypts the key with the server’s public key and sends it to the server.
  4. Decryption and Master Secret

    The server uses its private key to decrypt the pre-master secret. Both server and client perform the math to generate the master secret.
  5. Generate Session Keys

    Both the client and the server use the master secret to generate the session keys. (I don’t understand why they don’t just generate the session key directly.)
  6. Encryption with Session Key

    Both client and server exchange messages to notify that all future messages they send will be encrypted with the session key.

Books

book cover recommend book⇒SSL and Tls: Theory and Practice, Second Editionto book home
by Rolf Oppliger Ph.D. 978-1-60807-998-8 hardcover
birth 1965-11-02 age:51
publisher Artech House Publishers
published 2016-03-31
The author is a computer science professor at the University of Zurich in Switzerland. Curriculum vitae.
Australian flag abe books anz abe books.ca Canadian flag
German flag abe books.de amazon.ca Canadian flag
German flag amazon.de Chapters Indigo Canadian flag
Spanish flag amazon.es Chapters Indigo eBooks Canadian flag
Spanish flag iberlibro.com abe books.com American flag
French flag abe books.fr amazon.com American flag
French flag amazon.fr Barnes & Noble American flag
Italian flag abe books.it Nook at Barnes & Noble American flag
Italian flag amazon.it Kobo American flag
India flag junglee.com Google play American flag
UK flag abe books.co.uk O’Reilly Safari American flag
UK flag amazon.co.uk Powells American flag
UN flag other stores
Greyed out stores probably do not have the item in stock. Try looking for it with a bookfinder.
book cover recommend book⇒Implementing SSL / TLS Using Cryptography and PKIto book home
by Joshua Davies 978-0-470-92041-1 paperback
birth 1974 age:42 978-1-118-03877-2 eBook
publisher Wiley B004IK9TVO kindle
published 2011-01-11
Practical, comprehensive book on how to implement SSL / TLS. Covers only TLS 1.0.
Australian flag abe books anz abe books.ca Canadian flag
German flag abe books.de amazon.ca Canadian flag
German flag amazon.de Chapters Indigo Canadian flag
Spanish flag amazon.es Chapters Indigo eBooks Canadian flag
Spanish flag iberlibro.com abe books.com American flag
French flag abe books.fr amazon.com American flag
French flag amazon.fr Barnes & Noble American flag
Italian flag abe books.it Nook at Barnes & Noble American flag
Italian flag amazon.it Kobo American flag
India flag junglee.com Google play American flag
UK flag abe books.co.uk O’Reilly Safari American flag
UK flag amazon.co.uk Powells American flag
UN flag other stores
Greyed out stores probably do not have the item in stock. Try looking for it with a bookfinder.

Learning More

Oracle’s Javadoc on SSLSocket class : available:
Oracle’s Technote Guide on JSSE: Java Secure Socket Extension : available:
Oracle’s Technote Guide on SSL/Diffie-Hellman Key Sizes : available:
Oracle’s Technote Guide on SSL Features is JSSE : available:

This page is posted
on the web at:

http://mindprod.com/jgloss/ssl.html

Optional Replicator mirror
of mindprod.com
on local hard disk J:

J:\mindprod\jgloss\ssl.html
logo
Please the feedback from other visitors, or your own feedback about the site.
Contact Roedy. Please feel free to link to this page without explicit permission.

IP:[65.110.21.43]
Your face IP:[54.204.247.205]
You are visitor number