InfoQ

News

Not-Yet-Commons-SSL Provides Powerful (and Free) SSL Capabilities

Posted by James Kao on Jun 04, 2007 06:30 PM

Community
Java
Topics
Security ,
Programming
Tags
SSL
Not-Yet-Commons-SSL is an Apache licensed Java library designed to simplify the use of SSL by providing an easy-to-use API along with robust support for a variety of certificate formats and configuration options. In particular, it addresses some long standing nuisances with Java's built-in SSL support by allowing the use multiple certificates within a single JVM, handling self-signed certificates gracefully, and supporting all standard certificate format.

The project touts five design goals that sum up the library's features:
Make SSL and Java Easier. Ever wanted to work with self-signed certificates in your Java application in a secure fashion? Ever wanted to use more than one client certificte in a single running JVM? You can edit your $JAVA_HOME/jre/lib/security/cacerts file, and you can invoke Java with -Djavax.net.ssl.keyStore=/path/to/keystore. Both of these approaches are great at first, but they don't scale well. Do you really want to pollute every SSL socket in your JVM (HTTP, LDAP, JDBC, RMI, etc...) with those system-wide changes? Commons-SSL let's you control the SSL options you need in an natural way for each SSLSocketFactory, and those options won't bleed into the rest of your system.
Improve Security. CRL checking turned on by default. We hope to add support for OCSP soon! It's obnoxious to have to download CRL files around 500KB each from Thawte and Verisign every 24 hours. OCSP improves on that.
Improve Flexibility. Checking hostnames, expirations, CRL's, and many other options can be enabled/disabled for each SSLSocketFactory created.
Support more file formats, and support these formats more robustly.
  • commons-ssl supports over 50 formats of PKCS8 and OpenSSL Encrypted Private Keys in PEM or DER
  • X.509 Certificates can be PEM or DER encoded. Can also come in PKCS7 chains. (To be fair, Java always supported this.)
  • PKCS12 files can be in PEM (as created by openssl pkcs12).
  • Parsing of Base64-PEM is more tolerant of extra whitespace or comments, especially outside the Base64 sections.
Automatically detect type of KeyMaterial or TrustMaterial. Consumer does not need to know whether keystore is PKCS12 or JKS. They just need to know the password to decrypt the private key.
Not-Yet-Commons-SSL was developed at the Credit Union Central of British Columbia and was donated to the Apache Software Foundation in 2006. It is currently going through the Apache Incubation policy and the project hopes to soon become part of the Apache-Commons project in the upcoming months.

In comparison to Java's built-in capabilities, Dejan Bosanac wrote:
If you ever tried to work with SSL Socket connections in Java, you probably know that Java, by default, supports its own JKS and PKCS12 certificate formats. For those who need to work with OpenSSL it is usually suggested to convert keys and certificates to PKCS12 and then import them in the keystore using the keytool command provided with the JDK.

While all this is not a big deal for most of the applications, there should be a better solution for projects that rely heavily on SSL. Not-yet-commons-ssl project, called liked this because it is still not the official Apache project, aims to simplify Java and SSL integration.

No comments

Reply

Exclusive Content

Dan Farino About MySpace’s Architecture

Dan Farino talks about the system architecture and the challenges faced when building a very large online community. Dan explains how a .NET product scales on hundreds of servers.

The Maxine VM

Bernd Mathiske discusses Maxine VM, Java compatibility, swapping major VM components, research areas, Object handling, code examples, optimizing compiler, snippets, bytecode generation, JNI and JIT.

Joe Armstrong About Erlang

Joe Armstrong speaks on various aspects of the Erlang language, presenting its roots, how it compares with other languages and why it has become popular these days.

The Limits of Code Optimization: a new Singleton Pattern Implementation

The java double-check singleton pattern is not thread safe and can’t be fixed. In this article, Dr. Alexey Yakubovich provides an implementation of the Singleton pattern that he claims is thread-safe.

Pressure and Performance – The CTO's Dilemma

Diana and Jim talk about patterns observed in CTOs' activity. CTOs emerge as real people caring for other people in their organization, and are put under a lot of pressure and constraints.

Biztalk Services in the Cloud

Cloud computing feels like a tomorrow technology. Simon Thurman shows how developers can use Biztalk to create an Internet Service Bus which can be deployed locally or in the cloud.

Java FX Technology Preview

InfoQ takes a look at the JavaFX preview build and talks to Sun Staff Engineer Joshua Marinacci about the upcoming version 1 release expected this autumn.

Jeff Sutherland: Reaching Hyper-Productivity with Outsourced Development Teams

Jeff Sutherland, co-creator of Scrum, and Guido Schoonheim, CTO of Xebia, present an actual case of reaching hyper-productivity with a large distributed team using XP and Scrum.