Questions and Answers
A: JSSE implements a JavaTM version of SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols to provide for secure Internet communications.
Using JSSE, developers can provide for the passage of secure data between a client and a server running any application protocol (such as HTTP, Telnet, NNTP, and FTP) over TCP/IP. JSSE will enable data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection.
A: There were a number of bug fixes and enhancements. For more details, please see the CHANGES.txt file that comes with the distribution.
A: JSSE is the latest development in the JavaTM Security Architecture, building upon the JavaTM 2 Security Architecture in the core SDK, the JavaTM Cryptography Extension (JCE), the JavaTM Authentication and Authorization Service (JAAS), and the JavaTM Security Tools. See the JavaTM 2 Security Architecture document for more information.
A: JSSE enables developers to utilize secure, encrypted communications channels in their applications. It simplifies application development by serving as a building block which developers can integrate directly into their applications. Furthermore, by abstracting the complex underlying security algorithms and "handshaking" mechanisms, JSSE minimizes the risk of creating subtle but dangerous security vulnerabilities.
A: Sun's JavaTM Secure Socket Extension 1.0.3 implementation is a reference implementation. It is intended to familiarize developers with the APIs and the technology before they make a choice on commercial implementations. A reference implementation is similar to a proof-of-concept implementation of a specification. It is used to demonstrate that the specification is implementable and that various compatibility tests can be written against it.
A non-commercial implementation typically lacks the overall completeness of a commercial-grade product. While the implementation meets the API specification, it will be lacking things such as a fully-featured toolkit, sophisticated debugging tools, commercial-grade documentation and regular maintenance updates.
A: The JSSE 1.0.3 reference implementation binary code is free for commercial use and redistribution. See the license and the legal documents that are downloaded with the code.
A: JSSE 1.0.3 has been classified as an ENC/Retail product by the U.S. Department of Commerce Bureau of Export Affairs. This license exception means that JSSE may be freely exported, without any additional approval, with strong encryption, to all nations except for those specifically denied .
A: While there has been some relaxation in the export requirements, there are many restrictions still in place for strong encryption products. Go to http://www.epic.org/crypto/export_controls/regs_1_00.html for the complete 33 page report. In addition, some countries may have import restrictions. Note also that a vendor's product status is dependent on the type of application they have with the US government -- JSSE 1.0.3 has been classified as ENC/Retail. Contrary to some articles in the press, export of encryption technology is still a complicated, multi-dimensional issue. You are advised to consult your export/import control counsel or attorney to determine the exact requirements.
A: No. Even with an ENC/Retail classification, the countries on the US Government embargo list may not receive ANY US-developed encryption items. In addition, parties listed on the Denied and Restricted Parties List are also not allowed to receive this kind of software. Additionally, it is Sun company policy to not ship products to Burma.
A: If you are located in the US or Canada, you can download the 128 bit strength domestic JSSE 1.0.3 reference implementation.
A: If you are located outside of the US or Canada, you can download the 128 bit strength global JSSE 1.0.3 reference implementation. (This assumes you are not an embargoed nation or a denied party.)
A: There are two versions to comply with the approved application Sun received from the U.S. Department of Commerce Bureau of Export Affairs. The domestic version supports alternate SSL security providers; the global version supports only the Sun SSL provider.
A: Sun's reference implementation supports JavaTM 2 SDK, Standard Edition, version 1.2.x or 1.3.x. The JSSE API is implementable on either JDK 1.1.x or JavaTM 2 Platform, Standard Edition. This implementation is not intended for use in the J2SDK version 1.4, which has a version of JSSE already bundled.
A: Yes, JSSE 1.0.3 contains RSA encryption. However, this algorithm is not available to the applications using the Java TM Cryptography Extension (JCE) API.
A: JSSE 1.0.3 provides Secure Sockets Layer (SSL) v3 and Transport Layer Security (TLS) 1.0 support to the JavaTM 2 Platform.
A: JSSE 1.0.3 supports SSL version 3. It is widely available and generally believed to be more secure than version 2. SSL was originally developed by Netscape. You can find out more about SSL by looking at Netscape SSL information or the SSL 3.0 Protocol Internet Draft. JSSE 1.0.3 supports TLS version 1, which can be found at http://www.ietf.org/rfc/rfc2246.txt?number=2246 .
A: Yes, the reference implementation is completely written in the JavaTM programming language.
A: Sample source code, including directions for running the sample code, is provided with the JSSE 1.0.3 distribution as a separate bundle.
A:
Use the dynamic debug tracing support. This is similar to
that used for debugging access control failures in JavaTM 2.
You can configure this via the javax.net.debug system
property. A value of "help" will dump out the various
options. For example:
java -Djavax.net.debug=help SomeClass
A: The SSLContext needs a java.security.SecureRandom object. It is expensive to seed a SecureRandom object. You should see better performance for the first connection if you can provide a pre-seeded SecureRandom object when initializing the SSLContext. However, extreme care should be taken in such action as seeding is an important aspect of cryptographic effectiveness.
A: Troubleshooting Tips:
JSSE Package Not Found During Compilation
Problem: When compiling a program that uses the JSSE 1.0.3 packages, one of the following errors occur:
Package com.sun.net.ssl not found in import. Package javax.net not found in import. Package javax.net.ssl not found in import. Package javax.security.cert not found in import.Cause: The JSSE JAR files are not installed properly.
Solution: JSSE 1.0.3 is supplied as an extension to the Java 2 platform. Its JAR files can be installed either as "installed" extensions (recommended) or as "bundled" extensions. A JAR file is considered an "installed" extension if it is stored in a particular directory established for all installed extensions, as described in http://java.sun.com/products/jsse/install.html, and no class path modifications are needed. "Bundled" extensions may be bundled with applications or made available in a separate directory. If they are bundled with an application, be sure to specify them in the Class-Path attribute in the application's manifest file. Otherwise, be sure to set the Java
CLASSPATH
variable correctly so the JSSE JAR files can be found. For more information about bundled extensions, see Bundled Extensions.Runtime Exception: SSL Service Not Available
Problem: When running a program that uses JSSE 1.0.3, an exception occurs indicating that an SSL service is not available. For example, an exception similar to one of the following occurs:
Exception in thread "main" java.net.SocketException: no SSL Server Sockets Exception in thread "main": SSL implementation not availableCause 1: The cryptographic service provider is not registered properly.
Solution 1: Before using JSSE 1.0.3, you must register the
SunJSSE
provider, either statically by modifying thejava.security
file or dynamically by calling theSecurity.addProvider
method, as described in http://java.sun.com/products/jsse/install.html.Cause 2: There was a problem with
SSLContext
initialization, for example due to a corrupted keystore. (Note: One vendor has shipped a keystore in an unknown format, and that may cause this type of error.)Solution 2: Check initialization parameters. Ensure any keystores specified are valid (e.g., by trying to use the keytool to examine them).
Runtime Exception: untrusted cert chains
Problem: When negotiating an SSL connection, the client or server throws one of the following exceptions:
javax.net.ssl.SSLException: untrusted server cert chain javax.net.ssl.SSLException: untrusted client cert chainCause 1: This is generally caused by the remote side sending a certificate that is unknown to the local side.
Solution 1: The best way to debug this type of problem is to turn on debugging and watch as certificates are loaded and when certificates are received via the network connection. Most likely, the received certificate is unknown to the trust mechanism because the wrong trust file was loaded.
Cause 2: The system clock is not set correctly.
Solution 2: If the clock is not set correctly, the perceived time may be outside the validity period on one of the certificates, and unless the certificate can be replaced with a valid one from a truststore, the system must assume that the certificate is invalid, and therefore throw the exception.
Cause 3: Older versions of Java 2 Enterprise Edition use earlier versions of JSSE. In particular, some previous versions of J2EE shipped with JSSE 1.0, which couldn't replace received expired certificates with current ones from a truststore.
Solution 3: Be sure that the new JSSE jar files occur in the class path(s) ahead of any older J2EE jar files.
Runtime Exception: Class Definition Not Found
Problem: When running a program that uses JSSE 1.0.3, an exception occurs indicating that a JSSE class definition cannot be found. For example, an exception similar to the following occurs:
Exception in thread "main" java.lang.NoClassDefFoundError: javax/net/ssl/SSLServerSocketFactoryCause: The JSSE JAR files are not installed properly.
Solution: JSSE must be installed as an extension to the Java 2 Platform. Install the JSSE JAR files as discussed in the Solution to the JSSE Package Not Found During Compilation problem shown above.
Runtime Exception: No Cipher Suites in Common
Problem: When using Netscape Navigator or Microsoft Internet Explorer (IE) to access files on a server that only has DSA-based certificates, a runtime exception occurs indicating that there are no cipher suites in common.
Cause: By default, certificates created with keytool use DSA public keys. Navigator and IE do not use DSA public keys in their enabled cipher suites.
Solution: To interact with Navigator or IE, you should create certificates that use RSA-based keys. To do this, you need to specify the
-keyalg
RSA option when using keytool. For example:keytool -genkey -alias duke -keystore testkeys -keyalg rsa