I'm working with a framework (Vertx 2) and need to implement a service that runs on top of TLS. Vertx 2 has support for TLS, but I cannot get it to use the necessary ciphers (among others):
TLS_PSK_WITH_3DES_EDE_CBC_SHA
TLS_PSK_WITH_AES_128_CBC_SHA
I also cannot use the Bouncy Castle lightweight API as it is stream-based and blocks (spawning threads etc. to deal with this is not acceptable as that will not scale). The same goes for JESSIE.
It must use AES & DES with pre-shared keys, but I've been unable to find a way to get this to work. Any solution which is non-blocking/async is workable.
If you're on Linux or OSX, Conscrypt (https://conscrypt.org) might be an option. This is an OpenSSL/BoringSSL backed JCA Provider which will give you an SSLEngine impl which you can then use with Java NIO in non-blocking mode. For context, Conscrypt is the default provider of crypto and TLS/SSL primitives on Android.
To use it with TLS-PSK, you'll need to initialize a Conscrypt-provided SSLContext with an implementation of org.conscrypt.PSKKeyManager and then obtain an SSLEngine from that context. For documentation, see PSKKeyManager interface Javadoc or Javadoc of very similar Android framework class PskKeyManager (https://developer.android.com/reference/android/net/PskKeyManager.html).
Related
I would like to implement tls protocol on my server and client.
My question is simple:
the class SSLSocket use either the TLS protocol or is it the same thing?
I haven't implemented it in my code yet, but I'm excited about the possibility.
My question is simple: the class SSLSocket use either the TLS protocol or is it the same thing?
The short answer is Yes.
The standard SSLSocket class supports both SSL and TLS. Quoting from the first line of the javadoc:
"This class extends Sockets and provides secure socket using protocols such as the "Secure Sockets Layer" (SSL) or IETF "Transport Layer Security" (TLS) protocols."
However this need to be qualified in that the actual protocols and versions that are allowed depend on defaults and settings that change over time. For example, recent Java releases will (by default) reject SSLv2, SSLv3, TLSv1, and TLSv1.1.
Finally, you should avoid using any of the disabled versions (or related disabled features) if possible as they have known security weaknesses and in some cases are vulnerable to compromise.
I'm developing secure communication framework for PC and Android mobiles, without using certificates and public key exchange. Pre-shared key will be used.
The framework has it's own protocol for authentication and key exchange.
The procedure is the follows:
Hosts authenticate to each other
After two communicating hosts are authenticated to each other, they share session private key.
Traffic between hosts is encrypted using that key.
I plan to use SSL for traffic encryption, but without using and third-party SSL library (only standard JSSE facilities).
Actually, SSL will be used only for traffic encryption (key exchange and authentication is already made).
How it's possible to explicitly set pre-shared key for SSL?
If it's not directly supported by JSSE, but can be made by overriding default SSL classes (SSLEngine, SSLSocketFactory, and etc), how to do it? What classes can be responsible for it?
SSL/TLS lets you use several mechanisms for authentication besides certificates, eg. you can use shared secret (PSK cipher suites) or OpenPGP keys and more. However, not many implementations actually support those mechanisms. I don't know whether Java built-in cryptography supports them. Our SecureBlackbox does support all mechanisms defined in TLS specifications including those I've mentioned.
You can find open source TLS PSK JSSE socket factories powered by Bouncy Castle and released under the Apache v2 license here: https://github.com/clover/pskfactories
The project includes example usage.
Alternatively WolfSSL also appears to have a JSSE implementation that supports PSK. It's powered by native code so likely a bit more work to get up and running than if it was pure Java. It's also GPLv2 unless you purchase a commercial license.
See https://www.wolfssl.com/products/wolfssl-jni-jsse/
I have an GUI which is designed in JAVA and act as an client, and can communicate remotely to an server which is written in C/C++. Communication between them is made through Sockets. However the messages sent are not encrypted and is vulnerable to man-in-the-middle attacks. I was wondering what the best solution will be to protect the communication and wanted to implement SSL. Is it possible to do so, and if yes, what toolkit I should look into.
Java contains an SSL implementation called JSSE. See the Javadoc for the javax.net.ssl package. There is also a tutorial, and several examples are provided with the JDK.
You might not even need to modify the server at all. You could just stick stunnel in front of it.
A warning: With TLS/SSL you face a whole bunch of additional error conditions that you might need report or log, especially concerning certificates (wrong, expired, unable to verify due to networking / DNS issues)
I'm currently investigating for a client a solution where he wants to send and receive files using sftp in Domino.
I have looked on the net for API's covering this and found one recommended more than others; JSch.
One reason for choosing this API is for its use by others including Eclipse.
What I'd like to know is:
if there're any obsticales using this Library? If so, can you recommend any other?
are there any other caveats using sftp in Domino Java?
does Domino JVM support JavaTM Cryptography Extension (JCE)?
can we use Dominos self-signed certificates here, with Dominos CA?
/Mike
1) Sending. This should work, but you will probably have to deal with the JVM's Security Manager ("/jvm/lib/security/java.policy") of Domino to get a socket, ...
2) Receiving: You probably don't want to implement a SSH server inside domino. It's much easier and more secure to use the SSH server of the host and periodicaly scoop up the inbound files via an Agent.
Dominos Self Signed SSL certificates have nothing to do with SSH as implemented by JSch.
3) The Domino JVm will probably support theJavaTM Cryptography Extension (JCE). Watch out for the supported JRE versions of Domino.
4) Generally: Are you sure, you want to implement it that way? Probably way easier are either WebServices or a REST-API, both via SSL/TLS and optionally facilitating client certificates.
I have to work on an old 1.3 JVM and I'm asked to create a secure connection to another server. Unfortunately the HttpsURLConnection only appears sinc JVM 1.4.
Is there another way to create a secure connection? Is there a library that I could you to add this fonctionnality?
You need to install the Java Secure Socket Extension (JSSE), which used to be required because Sun wouldn't ship it with the JDK because of comedy export restrictions. I had a look on Sun's web site, but the JDK 1.3 instructions are preving elusive. Bear in mind that JDK 1.3 is now end-of-lifed by Sun, so they may not have any information any more.
http://hc.apache.org/httpclient-3.x/sslguide.html
Check out the BouncyCastle implementation. It works all the way down to Java 1.1 and J2ME.
If JSSE doesn't work out for you (from #skaffman's answer, it may be hard to find documentation), you may want to look into some sort of a proxy. You could set up a daemon running on the same local machine (or trusted network), which then forwards the requests over HTTPS to the final end point. You could write this proxy server using a more modern JVM. Your legacy system would then point to the proxy rather than the real service.
Of course, if, by chance, you also have control over the final end point, you could perhaps just put both servers on a VPN.
You might be able to use JSSE.
skaffman links to the SSL guide for jakarta commons HttpClient. HttpClient is a good library for dealing with http.