Build secure network applications with SSL and the JSSE API

Get started with SSL and JSSE using these two simple apps

By Todd Sundsted, JavaWorld.com, 05/11/01

This month, I will explore SSL as implemented by the JSSE (Java Secure Socket Extension), and show you how to build secure network applications in Java using SSL and JSSE.

Let's begin with a simple demonstration. JSSE provides an SSL toolkit for Java applications. In addition to the necessary classes and interfaces, JSSE provides a handy command-line debugging switch that you can use to watch the SSL protocol in action. In addition to providing useful information for debugging a recalcitrant application, playing with the toolkit is a great way to get your feet wet with SSL and JSSE.

To run the demonstration, you must first compile the following class:

  public
  class Test
  {
    public
    static
    void
    main(String [] arstring)
    {
      try
      {
        new java.net.URL("https://" + arstring[0] + "/").getContent();
      }
      catch (Exception exception)
      {
        exception.printStackTrace();
      }
    }
  }

Next, you need to turn on SSL debugging and run the above application. The application connects to the secure Website that you specify on the command line using the SSL protocol via HTTPS. The first option loads the HTTPS protocol handler. The second option, the debug option, causes the program to print out its behavior. Here's the command (replace <host> with the name of a secure Web server):

  java -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol -Djavax.net.debug=ssl Test <host>

You need to install JSSE; refer to Resources if you're unsure how.

Now let's get down to business and talk about SSL and JSSE.

A brief look at SSL

The code in the introduction demonstrates the easiest way to add SSL to your applications -- via the java.net.URL class. This approach is useful, but is not flexible enough to let you create a secure application that uses generic sockets.

Before I show you how to add that flexibility, let's take a quick look at SSL's features.

As its name suggests, SSL aims to provide applications with a secure socketlike toolkit. Ideally, it should be easy to convert an application that uses regular sockets into an application that uses SSL.

SSL addresses three important security issues:

1. It provides authentication, which helps ensure the legitimacy of the entities involved in a dialog.
2. It provides privacy. SSL helps warrant that a third party cannot decipher the dialog between two entities.
3. It maintains integrity. The use of a MAC (message authentication code), which is similar to a checksum, helps guarantee that a dialog between two entities is not modified by a third party.

SSL relies heavily on both public-key and secret-key cryptography. It uses secret-key cryptography to bulk-encrypt the data exchanged between two applications. SSL provides the ideal solution because secret-key algorithms are both secure and fast. Public-key cryptography, which is slower than secret-key cryptography, is a better choice for authentication and key exchange.

Sun's JSSE reference implementation comes with all the technology necessary to add SSL to your applications. It includes RSA (Rivest-Shamir-Adleman) cryptography support -- the de facto standard for security on the Internet. It includes an implementation of SSL 3.0 -- the current SSL standard -- and TLS (Transport Layer Security) 1.0, the next generation of SSL. JSSE also provides a suite of APIs for creating and using secure sockets.

The JSSE API

The Java security architecture uses the Factory design pattern heavily. For the uninitiated, the Factory design pattern uses special factory objects to construct instances, rather than calling their constructors directly. (See Resources for the pros and cons of the factory class.)

In JSSE, everything begins with the factory; there's a factory for SSL sockets and a factory for SSL server sockets. Since generic sockets and server sockets are already quite fundamental to Java network programming, I'll assume that you're familiar with the two and you understand their roles and differences. If you are not, I recommend picking up a good book on Java network programming.

SSLSocketFactory

Methods in the javax.net.ssl.SSLSocketFactory class fall into three categories. The first consists of a single static method that retrieves the default SSL socket factory: static SocketFactory getDefault().

The second category consists of four methods inherited from javax.net.SocketFactory that mirror the four key constructors found on the java.net.Socket class, and one method that wraps an existing socket with an SSL socket. They each return an SSL socket:

1. Socket createSocket(String host, int port)
2. Socket createSocket(String host, int port, InetAddress clientHost, int clientPort)
3. Socket createSocket(InetAddress host, int port)
4. Socket createSocket(InetAddress host, int port, InetAddress clientHost, int clientPort)
5. Socket createSocket(Socket socket, String host, int port, boolean autoClose)

The two methods in the third category return the list of SSL cipher suites that are enabled by default, and the complete list of supported SSL cipher suites:

1. String [] getDefaultCipherSuites()
2. String [] getSupportedCipherSuites()

A cipher suite is a combination of cryptographic algorithms that define a particular level of security for an SSL connection. A cipher suite defines whether the connection is encrypted, whether content integrity is verified, and how authentication occurs.

SSLServerSocketFactory

Methods on the javax.net.ssl.SSLServerSocketFactory class fall into the same three categories as SSLSocketFactory. First, there is the single static method that retrieves the default SSL server socket factory: static ServerSocketFactory getDefault().