I want to make a large number of small HTTP requests from a client machine running Java 7 to an external web server over TLS and I would like to use session resumption to make this as efficient as possible.
The web server, however, only appears to support session resumption via the TLS session ticket extension, and so far, I have not seen any documented way of enabling this feature in the javax.net.ssl package.
Does the Java 7 TLS implementation support TLS session tickets on the client side? And if not, could anyone suggest a 3rd party library which does?
Many thanks
It looks as if this isn't even supported on Java 8 and has not been explicitly listed for Java 9.
Related
I have a client application communicating with external party application. The client application is up and running for long time.
Recently, I received a request from the third party asking about the allowed SSL/TLS protocols from the application server where my client application is running and calling their application.
Questions
How to tell what SSL/TLS protocols allowed from my client application ?
What has been done so far
1 - I checked SSL configration at the server's browser where my client application is running, See below screen shot. Is this what the third party team trying to know?
2 - The client application is running from weblogic 10.3.6. I cheked weblogic configuration in the following but I could not find any thing about the SSL/TLS protoclos used:
2.1 - Summary of Servers >Server_1 >Protocols
2.2 - Summary of Servers >Server_1 >Configuration >SSL
------ Update ------
I am using Java 7 for the client application. For that I checked the Java™ Secure Socket Extension (JSSE) documentation online. In the online documentation I found the following
Engine Class Implemented : SSLContext
Algorithm or Protocol: SSLv3 (a.k.a. SSL), TLSv1 (a.k.a. TLS), TLSv1.1, TLSv1.2
See documentation Java Cryptography Architecture Oracle Providers Documentation for Java Platform Standard Edition 7, The SunJSSE Provider for more information.
So is this the allowed SSL/TLS protocols from my client application? Further if Java has its own allowed Protocols, then how is that related to protocols setting in the browser ( Point 1 above )?
See http://docs.oracle.com/cd/E24329_01/web.1211/e24422/ssl.htm#SECMG634 (there are similar settings for 11G)
The browser settings are a red herring - the third-party app will connect to weblogic, not your browser, and negotiate a secure protocol based on what WLS + the third party app can mutually support.
Java7's default settings are acceptable, although if you need PCI-DSS compliance, you should probably set TLS1.1 as the minimum.
I want to get server sockets working for HTTP/2 in Java, preferably TLS/https.
I've got a TLS server socket working fine, but browsers will only talk HTTP/1.1 to it. If I understand correctly, you need ALPN to get a HTTP/2 browser to connect to your TLS socket and start running HTTP/2 on it; browsers won't ask for upgrade to HTTP/2 on https. It seems Java8 does not do ALPN so far. Maybe there is some other way to coerce browsers to do HTTP/2, at least non-TLS.
So, anybody know how to make a Java server socket for HTTP/2?
Java won't get ALPN until at least JDK 9, which is slated for late 2016 or 2017.
Meanwhile, you can use Jetty's ALPN implementation, or better yet, use Jetty (or other servers as suggested) directly rather than doing your own HTTP/2 implementation using ServerSocket.
[Disclaimer, I am a Jetty committer]
Jetty 9.3 has great support for HTTP/2, including HTTP/2 Push.
FYI, Java Dev Team is preparing ALPN for Java 9.
Hopefully as you can see this issue, https://bugs.openjdk.java.net/browse/JDK-8062848,
ALPN support may be backported to JDK 8 so an implementation is needed
that does not introduce any new Java SE APIs. This may require
creating something in a com.oracle.ssl.net package or via System
Properties.
I have a system protected by SSL - and clients use a smartcard for accessing their certificate. I use java's pkcs11.
I have posted this question here (even with bounty):
pkcs11 sso (using prior windows login with smartcard)
The same smartcard is used for windows login - and I would like to save the client the touble of re-logging using the smartcard (PIN).
Many links I have read about this issue led me to the world of SSO: NTLM, Kerberose etc.
I feel SSO is a bit an overspec for what I wanted to acheive - And also by the looks of it - At least kerberose requires me to create a KDC server and other new components that will elongate my development time.
So - some introductory questions about SSO I couldn't find an answer to:
Will it actully solve the problem I presented? (The smartcards contain "classic" certificates signed by CA).
I would like a minimal solution (in terms of components) - which is the best implemnation for this? NTLM, Kerberose? I will probably have to use a jna wrapper like WAFFLE, right? By the way, I will use WINDOWS as OS.
Thank you for your help.
The only way is to set up a Windows Active Directory (a KDC impl) to use the full power of SSO with Kerberos. There is no other option. Don't use NTLM, it has a lot of drawbacks. Waffle has its drawbacks. Due its different nature, it does not integrate into JGSS and makes it unusable comprehensively in Java.
If you want to avoid licensing fees for Windows server, you may try Samba 4 which is an OSS alternative to the AD.
I am doing this for years in a corporate environment from Windows client to a Unix-based server.
I'm currently investigating for a client a solution where he wants to send and receive files using sftp in Domino.
I have looked on the net for API's covering this and found one recommended more than others; JSch.
One reason for choosing this API is for its use by others including Eclipse.
What I'd like to know is:
if there're any obsticales using this Library? If so, can you recommend any other?
are there any other caveats using sftp in Domino Java?
does Domino JVM support JavaTM Cryptography Extension (JCE)?
can we use Dominos self-signed certificates here, with Dominos CA?
/Mike
1) Sending. This should work, but you will probably have to deal with the JVM's Security Manager ("/jvm/lib/security/java.policy") of Domino to get a socket, ...
2) Receiving: You probably don't want to implement a SSH server inside domino. It's much easier and more secure to use the SSH server of the host and periodicaly scoop up the inbound files via an Agent.
Dominos Self Signed SSL certificates have nothing to do with SSH as implemented by JSch.
3) The Domino JVm will probably support theJavaTM Cryptography Extension (JCE). Watch out for the supported JRE versions of Domino.
4) Generally: Are you sure, you want to implement it that way? Probably way easier are either WebServices or a REST-API, both via SSL/TLS and optionally facilitating client certificates.
I have to work on an old 1.3 JVM and I'm asked to create a secure connection to another server. Unfortunately the HttpsURLConnection only appears sinc JVM 1.4.
Is there another way to create a secure connection? Is there a library that I could you to add this fonctionnality?
You need to install the Java Secure Socket Extension (JSSE), which used to be required because Sun wouldn't ship it with the JDK because of comedy export restrictions. I had a look on Sun's web site, but the JDK 1.3 instructions are preving elusive. Bear in mind that JDK 1.3 is now end-of-lifed by Sun, so they may not have any information any more.
http://hc.apache.org/httpclient-3.x/sslguide.html
Check out the BouncyCastle implementation. It works all the way down to Java 1.1 and J2ME.
If JSSE doesn't work out for you (from #skaffman's answer, it may be hard to find documentation), you may want to look into some sort of a proxy. You could set up a daemon running on the same local machine (or trusted network), which then forwards the requests over HTTPS to the final end point. You could write this proxy server using a more modern JVM. Your legacy system would then point to the proxy rather than the real service.
Of course, if, by chance, you also have control over the final end point, you could perhaps just put both servers on a VPN.
You might be able to use JSSE.
skaffman links to the SSL guide for jakarta commons HttpClient. HttpClient is a good library for dealing with http.