Re: Javasoft SSL Beta

Warren McCoubrey (mccoubre@direct.ca)
Thu, 13 Mar 1997 09:33:37 -0800

Date: Thu, 13 Mar 1997 09:33:37 -0800
From: Warren McCoubrey <mccoubre@direct.ca>
To: java-security@java.eng.sun.com
Subject: Re: Javasoft SSL Beta

David Brownell -- JavaSoft wrote:
>
> > Date: Mon, 10 Mar 1997 18:23:48 -0800
> > From: Warren McCoubrey <mccoubre@direct.ca>
> >
> > Hello,
> > I have a number of questions wrt the SSL API released early last week
> > (beta java web-server).
>
> Notice that's beta of the Web Server, not of the SSL API !! Although
> that API won't change substantially, it _will_ change (at least, the
> package will be renamed) before very long.
>
> > 1. What exactly does SSLServerSocket.setNeedClientAuth() do ? Is the
> > server instructing the client to perform a self-authentication , or is
> > the server instructing the client to sign something and send it back so
> > that the server can verify it.
>
> Closest to the first of your options ... when a client connects to
> the SSLServerSocket (producting an SSLSocket via the accept method),
> SSL's handshaking will cause the client to self-authenticate.
>
> > The documentation accompanying the java
> > web-server mentions that SSL client authentication is currently not
> > supported, how does this relate to the setNeedClientAuth() method ?
>
> Don't call setNeedClientAuth, it won't do any good yet!
>
> > 2. If SSL client authentication is not supported in the Beta release,
> > will the exception SSLPeerUnverfied be thrown when the server attempts
> > to access the client's certificate chain ?
>
> Yes.
>
> > 3. What index value is used on an authentication context by a SSL socket
> > or socketServer to obtain the private keys or certificates used to
> > self-authenticate or initate a SSL handshake. Is there a fixed index ?
>
> That information is not exposed; you're not intended to be able to
> get access to the server's private keys. It'd be a security problem
> if you could do that.
>
> > In the alpha2 release, a SSL socketServer was constructed with a
> > private-key and certificate chain. How does it get that info now ?
>
> Private initialization APIs accessed through SSLEndpoint. Those
> APIs need to change. The actual execution path involves prompting
> the user for a passphrase, using that passphrase to load data
> into a KeyStore, and storing data from that KeyStore into the right
> AuthContext using indices known only to the SSL package.

Using SSLEndpoint implies a close coupling between SSL and the
sun.server.* packages. I would have thought that the SSL packages would
not have to depend on a particular server implementation, but instead
developers could use the SSL classes with their own server framework
(e.g. my.server.* packages). Are there any plans in the future for
separating SSL from the web-server ?
>
> > 4. I believe that there was a class supporting X.509 cerficate chains in
> > the alpha2. I can't seem to find it in the API documentation. Any ideas?
>
> I'd read the beta docs for sun.security.x509 ... sort of hard to make
> use of the SSL API without that class, which is why it's included in
> those beta docs.

Does this mean that the X.509 certificate chain class is included in the
Beta release of the web-server. If it is, could you please point it out.

>
> Note that (as always) sun.* APIs are not fully supported. In the
> cases of SSL and X509 we're still working on the APIs since they're
> not feature-complete yet. I don't know of fundamental changes needed,
> but if you write code to either set of APIs, it will at least break when
> the API package names change.
>
> - Dave

Thanks for the info.

-- 
Warren McCoubrey                                    | 
mccoubre@direct.ca
Fiberlane Communications Inc.                       |  Voice:
(604)433-0597
6883A Russell Avenue                                |  fax:  
(404)433-0257
Burnaby BC. Canada V5J 4R8                          |