![Close [x]](http://dw1.s81c.com/i/c.gif){kind=small}
SSL/TLS: Securing C/S communication
In this section, we'll examine the building blocks of the Secure Sockets Layer (and its replacement, Transport Layer Security), the protocol used to authenticate the server to the client. We'll offer a few code examples as illustrations.
What is Secure Sockets Layer/Transport Layer Security?
Secure Sockets Layer (SSL) and its replacement, Transport Layer Security (TLS), is a protocol for establishing a secure communications channel between a client and a server. It is also used to authenticate the server to the client and, less commonly, used to authenticate the client to the server. It is usually seen in a browser application, where the lock at the bottom of the browser window indicates SSL/TLS is in effect.
TLS 1.0 is the same as SSL 3.1.
SSL/TLS uses a hybrid of three of the cryptographic building blocks already discussed in this tutorial, but all of this is transparent to the user. Here is a simplified version of the protocol:
- When a request is made to a site using SSL/TLS (usually with an https:// URL), a certificate is sent from the server to the client. The client verifies the identify of the server from this certificate using the installed public CA certificates, then checks that the IP name (machine name) matches the machine that the client is connected to.
- The client generates some random info that can be used to generate a private key for the conversation, known as a session key, and encrypts it with the server's public key and sends it to the server. The server decrypts the message with its private key and uses the random info to derive the same private session key as the client. The RSA public key algorithm is usually used for this phase.
- The client and server then communicate using the private session key and a private key algorithm, usually RC4. A message-authentication code, using yet another key, is used to ensure the integrity of the message.
In this example, we write an HTTPS daemon process using an SSL server socket that returns an HTML stream when a browser connects to it. This example also shows how to generate a machine certificate in a special keystore to support the SSL deployment.
In Java programming, the only thing that needs to be done is to use an SSL Server Socket Factory instead of a Socket Factory, using lines like the following:
SSLServerSocketFacctory sslf = (SSLServerSocketFactor)SSLServerSocketFactory.getDefault(); ServerSocket serverSocket = sslf.createServerSocket(PORT); |
The complete code example is listed below:
import java.io.*;
import java.net.*;
import javax.net.ssl.*;
//
// Example of an HTTPS server to illustrate SSL certificate and socket
public class HTTPSServerExample {
public static void main(String[] args) throws IOException {
//
// create an SSL socket using the factory and pick port 8080
SSLServerSocketFactory sslsf =
(SSLServerSocketFactory)SSLServerSocketFactory.getDefault();
ServerSocket ss = sslsf.createServerSocket(8080);
//
// loop forever
while (true) {
try {
//
// block waiting for client connection
Socket s = ss.accept();
System.out.println( "Client connection made" );
// get client request
BufferedReader in = new BufferedReader(
new InputStreamReader(s.getInputStream()));
System.out.println(in.readLine());
//
// make an HTML response
PrintWriter out = new PrintWriter( s.getOutputStream() );
out.println("<HTML><HEAD>
<TITLE>HTTPS Server Example</TITLE>
" +
"</HEAD><BODY>
<H1>Hello World!</H1>
</BODY></HTML>
\n");
//
// Close the stream and socket
out.close();
s.close();
} catch (Exception e) {
e.printStackTrace();
}
}
}
}
|
In this example, we create an HTTPS server daemon that waits for a client browser connection and returns "Hello, World!". The browser connects to this daemon via https://localhost:8080.
We first create a machine certificate. The name must match the machine name of the computer where the daemon runs; in this case, localhost. In addition, we cannot use the same .keystore we have used in the past. We must create a separate keystore just for the machine certificate. In this case, it has the name sslKeyStore.
D:\IBM>keytool -genkey -v -keyalg RSA -alias MachineCert
-keystore sslKeyStore
Enter keystore password: password
What is your first and last name?
[Unknown]: localhost
What is the name of your organizational unit?
[Unknown]: Security
What is the name of your organization?
[Unknown]: Company, Inc.
What is the name of your City or Locality?
[Unknown]: Machine Cert City
What is the name of your State or Province?
[Unknown]: MN
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=localhost, OU=Security, O="Company, Inc.", L=Machine Cert City,
ST=MN, C=US correct?
[no]: y
Generating 1,024 bit RSA key pair and self-signed certificate (MD5WithRSA)
for: CN=localhost, OU=Security, O="Company, Inc.", L=Machine Cert City,
ST=MN, C=US
Enter key password for <MachineCert>
(RETURN if same as keystore password):
[Saving sslKeyStore]
|
Then, we start the server daemon process specifying the special keystore and its password:
D:\IBM>java -Djavax.net.ssl.keyStore=sslKeyStore -Djavax.net.ssl.keyStorePassword=password HTTPSServerExample |
After waiting a few seconds, fire up a browser and point it to https://localhost:8080 and you should be prompted on whether or not to trust the certificate. Selecting "yes" should display "Hello World!", and clicking on the lock in Internet Explorer will give the certificate details.
Table of contents
Local resources
Tags
Use the slider bar to see more or fewer tags.
Popular tags shows the top tags for this particular content zone (for example, Java technology, Linux, WebSphere).
My tags shows your tags for this particular content zone (for example, Java technology, Linux, WebSphere).
Popular tutorial tags |
My tutorial tagsSkip to tags list
Popular tutorial tags |
My tutorial tags
