Date: Mon, 23 Feb 1998 17:21:14 -0800
From: Jeff.Nisewanger@Eng (Jeff Nisewanger)
Message-Id: <199802240121.RAA28907@puuoo.eng.sun.com>
To: java-security@web1.javasoft.com, chris@subtlety.com
Subject: Re: Generating Keys?
> I'm having no luck following the RMI SSL directions on Sun's pages
> (they're just wrong, among other problems) so I'm trying to write my own
> socket class that encrypts and decrypts the data coming across it.
Hi. You mentioned earlier today in private email to me that
you are trying to use JWS 1.1 as the source of the SSL implementation
but are not running your application within the Java Web Server (your
not writing a servlet). JWS was not really intended to be used like this.
The javax.net.ssl apis do not expose trust management apis needed for
accessing self-authentication data (private keys & their associated
certificate chains) or managing which certificate authorities you trust
when authenticating the peer at the other end of the socket.
You can only use the javax.net.ssl apis by themselves if you
restrict yourself to SSL cipher suites which do not involve
authenticating yourself. In other words, on the server side you can
only support SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 and the like. These
cipher suites are supported but not enabled by default because without
server authentication you open yourself to a potential "man in the
middle" security attack. On the client side you should be able to use
the default cipher suites but will not be able to support a server
which insists on doing a client authentication handshake. Using the
public apis you will currently happen to trust only server certificates
signed by VeriSign. However, if you want your client to talk to an
"anon" server you will have to also specifically enable the "anon"
cipher suites on the client socket.
Jeff