Re: JSSE Client Authentication during SSL

Jeff Nisewanger (Jeff.Nisewanger@eng.sun.com)
Thu, 26 Aug 1999 10:33:53 -0700 (PDT)

Message-Id: <199908261735.KAA08055@shorter.eng.sun.com>
Date: Thu, 26 Aug 1999 10:33:53 -0700 (PDT)
From: Jeff Nisewanger <Jeff.Nisewanger@eng.sun.com>
Subject: Re: JSSE Client Authentication during SSL
To: java-security@Sun.COM, Dominic.Savio@bellsouth.net

> In JSSE, how to set which certifacte (alias) to be passed,
> in cases where the server requires client authentication.

Are you accessing the server via an https URL or directly
with an SSL socket. The EA1 release does not support client authentication
via the https URL handler packaged in the JSSE reference implementation.
We plan to add support for this in EA2.

If you are using an SSLSocket directly you configure this
via the init() method on the SSLContext class by passing in a
KeyManager instance that knows about your client certificate.

The common way to get a KeyManager configured with your client
certificate is to place it in a keystore file. You can then create the
Java 2 KeyStore class and initialize it from your file. Once you have
the KeyStore instance containing your client certificate you can use
this to initialize a KeyManagerFactory from which which you can get a
KeyManager. The reference implementation api has a limitation that
requires all of the keys in the keystore to be protected using the
same password (the KeyStore api and keytool command potentially allow
you to protect each private key with a seperate password).

An easy way to get a client certificate is to use a Netscape
or IE browser to get one via VeriSign or some other certificate issuer
and then export that into a file. The file will be in a format known
as PKCS12. For example, the Netscape browser will export your
client certificate into a .p12 file. You can then use this file with
the JSSE reference implementation by using a KeyStore with a type
of "PKCS12". The EA1 release of the JSSE reference implementation
should be compatible with PKCS12 files exported by Netscape 4.04 and
later and by IE 5.0.

You can use the standard Java 2 SDK keytool command to view
and edit your keystore file.

>
> What are the cipher suites available in JSSE?

The supported cipher suites are listed in the
file jsse1.0/doc/factsheet.html after you install the reference
implementation. Most of the common cipher suites are implemented
so you should be able to interoperate with almost any other SSL
implementation.

> How to set the desired cipher suites for SSL handshake?
>

You can set the desired cipher suites in priority order
using the setEnabledCipherSuites() method on the SSLSocket class.
See the javadoc for details. For the https URL handler, you can
set this via the "https.cipherSuites" system property which should
be a comma seperated list of cipher suites names.

Jeff