by Roedy Green ©1996-2008 Canadian Mind ProductsThe magic of SSL is that there need be no a priori secret password or private key shared between the two, though there optionall could be a login process. The two ends can set up a secure channel between themselves, even if they have never met before, even if there is someone snooping on the whole process!
The nice feature about SSL is that it can use different lengths of key for different purposes. This allows it to get around the foolish US laws that restrict long keys for privacy but allow them for identification and data integrity checking. SSL will still work even if the client does not have a certificate. SSL encryption software for export is limited by a U.S. law to 512-bit public keys and 40-bit private keys, even though the knowledge to build such software is freely available globally.
If you create an Applet and run it from within Netscape, you can successfully open a url connection with "https://www.charlie.com/…" . Netscape takes care all the SSL stuff for you. If you create an application client that runs outside of a browser, you will have to perform all the SSL yourself.
There is SSLithium, which is licensed for non-commercial use only; iSaSiLk which is commercially available, and was the basis for the international offering from Entrust; and JForge (which uses the www.aba.net.au JCE). In the US, and available on ftp.replay.com are a TLS (SSL3.1) implementation called pureTLS, and the early access Sun JSSE. Phaos makes SSLava.
With Java 1.4.1+ SSL is built-in via JSSE Java Secure Socket Extension. See the javax.net.ssl class.
The common name in the SQL certificate must be a fully-qualified domain name, or Java won’t recognize the match. If you have a website with many domains, you need a wildcard certificate to cover the related domains, or a separate cerficate for each domain.
Beware there are three SSL packages: javax.net.ssl, com.sun.net.ssl, com.sun.net.ssl.internal.www.protocol.https. Normally, you should not be messing with com.sun packages.The software to handle SSL in Java is called JSSE, (Java Secure Socket Extension) and is not considered part of JCE.
SSL chews up huge amounts of the server’s CPU time. One solution is an SSL hardware box that acts as a proxy server.
To connect as a client in HTTPS, you connect just like a regular HTTP connection. However, you have to give the SSL library access to your collection of certificate authority certificates so your client can validate server certificates:
 |
Please email your feedback for publication, errors, omissions, broken/redirected link reportsand suggestions to improve this page to Roedy Green :  | ||
| Canadian Mind Products | 
 |
||
| mindprod.com IP:[65.110.21.43] | |||
| Your face IP:[38.103.63.17] | The information on this page is for non-military use only. | ||
| You are visitor number 16,834. | Military use includes use by defence contractors. | ||
| You can get a fresh copy of this page from: | or possibly from your local J: drive (Java virtual drive/Mindprod website mirror) | ||
| http://mindprod.com/jgloss/ssl.html | J:\mindprod\jgloss\ssl.html | ||