Date: Mon, 10 Mar 1997 21:12:17 -0800
From: db@doppio (David Brownell -- JavaSoft)
Message-Id: <199703110512.VAA13915@argon.eng.sun.com>
To: java-security@java.eng.sun.com, mccoubre@direct.ca
Subject: Re: Javasoft SSL Beta
> Date: Mon, 10 Mar 1997 18:23:48 -0800
> From: Warren McCoubrey <mccoubre@direct.ca>
>
> Hello,
> I have a number of questions wrt the SSL API released early last week
> (beta java web-server).
Notice that's beta of the Web Server, not of the SSL API !! Although
that API won't change substantially, it _will_ change (at least, the
package will be renamed) before very long.
> 1. What exactly does SSLServerSocket.setNeedClientAuth() do ? Is the
> server instructing the client to perform a self-authentication , or is
> the server instructing the client to sign something and send it back so
> that the server can verify it.
Closest to the first of your options ... when a client connects to
the SSLServerSocket (producting an SSLSocket via the accept method),
SSL's handshaking will cause the client to self-authenticate.
> The documentation accompanying the java
> web-server mentions that SSL client authentication is currently not
> supported, how does this relate to the setNeedClientAuth() method ?
Don't call setNeedClientAuth, it won't do any good yet!
> 2. If SSL client authentication is not supported in the Beta release,
> will the exception SSLPeerUnverfied be thrown when the server attempts
> to access the client's certificate chain ?
Yes.
> 3. What index value is used on an authentication context by a SSL socket
> or socketServer to obtain the private keys or certificates used to
> self-authenticate or initate a SSL handshake. Is there a fixed index ?
That information is not exposed; you're not intended to be able to
get access to the server's private keys. It'd be a security problem
if you could do that.
> In the alpha2 release, a SSL socketServer was constructed with a
> private-key and certificate chain. How does it get that info now ?
Private initialization APIs accessed through SSLEndpoint. Those
APIs need to change. The actual execution path involves prompting
the user for a passphrase, using that passphrase to load data
into a KeyStore, and storing data from that KeyStore into the right
AuthContext using indices known only to the SSL package.
> 4. I believe that there was a class supporting X.509 cerficate chains in
> the alpha2. I can't seem to find it in the API documentation. Any ideas?
I'd read the beta docs for sun.security.x509 ... sort of hard to make
use of the SSL API without that class, which is why it's included in
those beta docs.
Note that (as always) sun.* APIs are not fully supported. In the
cases of SSL and X509 we're still working on the APIs since they're
not feature-complete yet. I don't know of fundamental changes needed,
but if you write code to either set of APIs, it will at least break when
the API package names change.
- Dave