"Java Security Technology Exploration Path series: Java Extensible Security Architecture" 13: JSSE (III): JSSE programming model

Guo Jia
Email: [Email protected]
Blog: http://blog.csdn.net/allenwells
Github:https://github.com/allenwell

A Secure socket connection that uses SSL

Client and server communication scenarios using SSL:

This scenario stores the certificate with the J2SE default KeyStore and Truststore. The SSL server uses a KeyStore that contains its private key and the corresponding public key. The SSL client uses the server certificate stored in the Truststore to verify the authenticity of the communication peer.

1.1 Jsse Client Communication

The programming steps involved in creating an SSL socket for client applications that use SSL to communicate with the server are as follows:

1. Register the Jsse provider.
2. Creates a sslsocketfactory instance.
3. Create a sslsocket to specify the host name and port.
4. Create a stream to securely send data to the server and to securely accept data from the server.
5. Closes the stream.

1.2 Jsse server-side communication

The following programming steps are involved in creating an application that serves as a server and can communicate with the client using Secure Sockets:

1. Register the Jsse provider.
2. Create a Sslserversocket factory instance.
3. Create a server SSL socket and specify its port.
4. Listens for client SSL connections.
5. Create a stream to securely send data to the client and receive data from the client.
6. Closes the stream.
7. Close the socket.

Two mutual authentication

Mutual authentication in secure communications enables clients to authenticate to the server, thereby enabling the client to verify the authenticity of the servers and thereby trust the data provided by the server.

In the process of mutual authentication, the client and server exchange their respective certificates to establish a credible channel between them. When an SSL client socket is connected to an SSL server, it receives an authentication certificate from the server, the client socket validates the certificate against a set of certificates in its Truststore, and the client then sends its own authentication certificate to the server, which validates the client's certificate against a set of certificates in its truststore. If the validation succeeds, secure communication is established. To authenticate the server's certificate on the client and the server-side to authenticate the client's certificate, the server's certificate must be pre-directed to the client's Truststore and the client's certificate will be served
Trust library for the device.

In Jsse, you can enable client-based mutual authentication by setting Sslserversocket.setneedclientauth (TRUE) to authenticate the server. To perform client authentication, you can set the Sslserversocket. Setwantclientauth (true) to require the client to provide the peer's certificate.

Three HTTP over SSL using Jsse

HTTP over SSL (HTTPS) allows secure HTTP communication to be established using SSL/TLS. In Jsse, the process of creating an F=PS connection is similar to creating an HTTP connection, except that the Jsse provider and its associated HTTPS protocol processor must be registered and SSL parameters configured before the connection can be established.

Four-agent Tunnel

When both parties communicate over the Internet, the proxy tunnel can provide higher communication security. Data is encrypted, the attacker can then easily initiate an attack to get the communication endpoint from the packet, if there is no information and session content for the communication layer and exchanging the sender's concubine receiver pays. The mechanism provided by the Proxy tunneling allows access to resources behind the firewall through a proxy server. The proxy server hides the address of the communications host in its subnet against an external attacker, which can protect the communication from attack.

The Jsse supports proxy tunneling so that it can access the apps behind the firewall, but the operation can only be done using HTTP through a proxy server. To enable proxy tunneling, Jsse requires the app to designate Https.proxyhost and Https.proxyport as System properties. To not use a proxy when connecting to certain specified hosts, you need to add http.nonproxyhosts as a system attribute.

Five host name authentication using Jsse

Hostname authentication is a mechanism that helps prevent a man-in-the-middle attack by verifying that the host on the SSL connection is the intended (authorized) communication or trusted host. The host name Validator is useful when the client or server instance is an SSL client for another server. During the SSL handshake, if the host name of the URL is inconsistent with the identity's hostname, the authentication mechanism is called back to determine whether the connection is allowed.

In Jsse-based SSL communication, to enable host name validation, you can set the **httpsurlconnection.sethostnameverifier
(Hostnameverifier HNV) * *.

Six sslengine and non-blocking IO

In J2SE 5.0, Jsse adds a new abstract class that allows applications to use the SSL/TLS protocol in a transport-independent manner so that the application does not have to select the transport, 1/o, and threading models that best meet its needs. This allows applications to use a variety of 1/o types, such as non-blocking I/O (polling), selective non-blocking I/O, sockets and traditional input/output streams, local byte buffers, or byte arrays.

6.1 Sslengine

Sslengine is called Sslcontext by a sslcontext that has been initialized. Created by Createsslengine (). Before you call Wrap () unwrap () or beginhandshake (), you must set all configuration parameters. All of these methods trigger the first handshake. The movement of data through the engine is done by calling Wrap () (outbound data) or unwrap () (inbound data). Depending on the state of Sslengine, The Wrap () call may consume application data from the source buffer and may also generate network data in the destination buffer. Outbound data may contain application data and/or handshake data. The call to unwrap () checks the data in the source buffer, and if the data is a handshake, the handshake occurs, and if the data is application information, the application data is placed in the target buffer. The status of the underlying SSL/TLS algorithm determines when data is consumed and when it is generated.

"Java Security Technology Exploration Path series: Java Extensible Security Architecture" 13: JSSE (III): JSSE programming model