hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Julius Davies" <juliusdav...@gmail.com>
Subject not-yet-commons-ssl-0.3.7 released!
Date Thu, 22 Feb 2007 18:20:07 GMT
not-yet-commons-ssl-0.3.7 released!


Features as of not-yet-commons-ssl-0.3.7:

1. useStrongCiphers() used by default.
40 bit and 56 bit ciphers are now disabled by default. To turn them
back on call useDefaultJavaCiphers().

2. addAllowedName() adds some flexibility to the CN verification.
Here's a code example using "cucbc.com" to connect, but anticipating
"www.cucbc.com" in the server's certificate:

    SSLClient client = new SSLClient();
    client.addAllowedName( "www.cucbc.com" );
    Socket s = client.createSocket( "cucbc.com", 443 );

This technique is also useful if you don't want to use DNS, and want
to connect using the IP address.

3. SSLServer can re-use a Tomcat-8443 private key if running from inside Tomcat.
    SSLClient server = new SSLServer();

4. RMI-SSL support improved.
Attempts to re-use the Tomcat-8443 private key for all RMI SSL Server
sockets. Anonymous server-sockets (port 0) will always be set to port
31099. Analyzes the server certificate CN field and tries to set
"java.rmi.server.hostname" to something compatible with that. Probably
the only free implementation around that does a good job on the
hostname verification!

5. KeyMaterial constructor blows up earlier.
If a JKS or PKCS12 file is provided that isn't going to work (e.g. no
private keys), the KeyMaterial constructor throws an exception right

6. getSSLContext() now available to help inter-op with Java 5 SSL-NIO libraries.
Oleg has been working hard on SSL-NIO for the Apache httpcomponents
library. Go check it out!

7. Fixed bug where SSLClient couldn't be used with
javax.net.ssl.HttpsURLConnection on Java 1.4.x
I was wrapping the SSLSocket, but Java 1.4.x guards against that
inside HttpsURLConnection and throws this exciting exception:

java.lang.RuntimeException: Export restriction: this JSSE
implementation is non-pluggable.
at com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl.checkCreate(DashoA6275)
at sun.net.www.protocol.https.HttpsClient.afterConnect(DashoA6275)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(DashoA6275)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:560)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(DashoA6275)

Silly Java - I'm still using your JSSE implementation, I'm just wrapping it!

The KeyStoreBuilder command-line utility can go both ways now (to jks,
and to pkcs8 in PEM format).  So you can use it to convert a java
"keystore" file into an Apache-SSL compatible PEM file for your httpd


$ java -cp commons-ssl-0.3.4.jar org.apache.commons.ssl.KeyStoreBuilder
KeyStoreBuilder:  outputs JKS file (java keystore) as ./[alias].jks
[alias] will be set to the first CN value of the X509 certificate.
Usage1:  [password] [file:pkcs12]
Usage2:  [password] [file:private-key] [file:certificate-chain]
[private-key] can be openssl format, or pkcs8.
[password] decrypts [private-key], and also encrypts outputted JKS file.
All files can be PEM or DER.


Julius Davies

To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org

View raw message