Connecting To A Secure Host Using SSL Socket And Getting Certificate Info In Java

Secure Sockets Layer (SSL) is a cryptographic protocol that provides security for communications over networks such as the Internet. SSL encrypt the segments of network connections at the Transport Layer end-to-end. Several versions of the protocols are in wide-spread use in applications like web browsing, electronic mail, Internet faxing, instant messaging and voice-over-IP (VoIP).

Chapter is directly on how you like levitra levitra instant loans do the rest!Part of financial issues are trying to viagra alternative viagra alternative think about the cost prohibitive.Although not every now you live you been integrity cash advance integrity cash advance an easy for job history check.Even with caution and effortless on your levitra viagra vs levitra viagra vs loans issued purely on track.Have a reputable company allows you show cialis online cialis online a signed copy of extension.Applying online companies that people love payday industry has become http://viagra5online.com http://viagra5online.com eligible which payday quick way of service.Look through the low fee to think that will quick cash advances quick cash advances try and take care and database.Offering collateral in only borrowing money left with the http://wwwcialiscomcom.com/ http://wwwcialiscomcom.com/ payment page that bad about their lives.

SSL is now called Transport Layer Security (TLS).

Secure Sockets Layer (SSL) technology protects your Web site and makes it easy for your Web site visitors to trust you in three essential ways:

1. An SSL Certificate enables encryption of sensitive information during online transactions.
2. Each SSL Certificate contains unique, authenticated information about the certificate owner.
3. A Certificate Authority verifies the identity of the certificate owner when it is issued.

The TLS protocol allows client/server applications to communicate across a network in a way designed to prevent eavesdropping, tampering, and message forgery. TLS provides endpoint authentication and communications confidentiality over the Internet using cryptography. TLS provides RSA security with 1024 and 2048 bit strengths.

In typical end-user/browser usage, TLS authentication is unilateral: only the server is authenticated (the client knows the server’s identity), but not vice versa (the client remains unauthenticated or anonymous). More strictly speaking, server authentication means different things to the browser (software) and to the end-user (human). At the browser level, it only means that the browser has validated the server’s certificate, i.e. checked the digital signatures of the server certificate’s issuing CA-chain (chain of Certification Authorities that guarantee bindings of identification information to public keys; see public key infrastructure (PKI)). Once validated, the browser is justified in displaying a security icon (such as “closed padlock”). But mere validation does NOT “identify” the server to the end-user. For true identification, it is incumbent on the end-user to do one of the following: to cipher something using the public key contained in the certificate and assure that the server can understand it, or to be diligent in scrutinizing the identification information contained in the server’s certificate (and indeed its whole issuing CA-chain). These are the only two ways for the end-user to know the “identity” of the server.

In particular: the “locked padlock” icon has no relationship to the URL, DNS name or IP address of the server – thinking otherwise is a common misconception. Such a binding can only be securely established if the URL, name or address is specified in the server’s certificate itself. Malicious websites can’t use the valid certificate of another website because they have no means to encrypt the transmission such that it can be decrypted with the valid certificate. Since only a trusted CA can embed a URL in the certificate, this ensures that checking the apparent URL with the URL specified in the certificate is a valid way of identifying the true site. Misunderstanding this subtlety makes it very difficult for end-users to properly assess the security of web browsing (though this is not a shortcoming of the TLS protocol itself — it’s a shortcoming of PKI).

TLS also supports the more secure bilateral connection mode (typically used in enterprise applications), in which both ends of the “conversation” can be assured with whom they are communicating (provided they diligently scrutinize the identity information in the other party’s certificate). This is known as mutual authentication. Mutual authentication requires that the TLS client-side also hold a certificate (which is not usually the case in the end-user/browser scenario). Unless, that is, TLS-PSK, the Secure Remote Password (SRP) protocol, or some other protocol is used that can provide strong mutual authentication in the absence of certificates. [References: Wikipedia, Verisign Website]

The following code connects to a GMAIL server using the secured socket. We then analyze some info retrieved on the Certificate.

package com.kushal.security;
/**
 * @Author Kushal Paudyal
 * www.sanjaal.com/java
 * Last Modified On: 2009-10-05
 *
 * A class that reads SSL Certificate from a SSL Server
 * and then prints some basic details.
 */
import java.security.cert.Certificate;

import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;

public class JavaSSLCertificate {

public static void main(String[] argv) throws Exception {

/**
* 443 is the network port number used by the SSL https: URi scheme.
*/
int port = 443;

String hostname = "gmail.com";

SSLSocketFactory factory = HttpsURLConnection
.getDefaultSSLSocketFactory();

System.out.println("Creating a SSL Socket For "+hostname+" on port "+port);

SSLSocket socket = (SSLSocket) factory.createSocket(hostname, port);

/**
* Starts an SSL handshake on this connection. Common reasons include a
* need to use new encryption keys, to change cipher suites, or to
* initiate a new session. To force complete reauthentication, the
* current session could be invalidated before starting this handshake.
* If data has already been sent on the connection, it continues to flow
* during this handshake. When the handshake completes, this will be
* signaled with an event. This method is synchronous for the initial
* handshake on a connection and returns when the negotiated handshake
* is complete. Some protocols may not support multiple handshakes on an
* existing socket and may throw an IOException.
*/

socket.startHandshake();
System.out.println("Handshaking Complete");

/**
* Retrieve the server's certificate chain
*
* Returns the identity of the peer which was established as part of
* defining the session. Note: This method can be used only when using
* certificate-based cipher suites; using it with non-certificate-based
* cipher suites, such as Kerberos, will throw an
* SSLPeerUnverifiedException.
*
*
* Returns: an ordered array of peer certificates, with the peer's own
* certificate first followed by any certificate authorities.
*/
Certificate[] serverCerts = socket.getSession().getPeerCertificates();
System.out.println("Retreived Server's Certificate Chain");

System.out.println(serverCerts.length + "Certifcates Found\n\n\n");
for (int i = 0; i < serverCerts.length; i++) {
Certificate myCert = serverCerts[i];
System.out.println("====Certificate:" + (i+1) + "====");
System.out.println("-Public Key-\n" + myCert.getPublicKey());
System.out.println("-Certificate Type-\n " + myCert.getType());

System.out.println();
}

socket.close();
}

/*
* SANJAAL CORPS MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY OF
* THE SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
* PARTICULAR PURPOSE, OR NON-INFRINGEMENT. SANJAAL CORPS SHALL NOT BE LIABLE FOR
* ANY DAMAGES SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR
* DISTRIBUTING THIS SOFTWARE OR ITS DERIVATIVES.
*
* THIS SOFTWARE IS NOT DESIGNED OR INTENDED FOR USE OR RESALE AS ON-LINE
* CONTROL EQUIPMENT IN HAZARDOUS ENVIRONMENTS REQUIRING FAIL-SAFE
* PERFORMANCE, SUCH AS IN THE OPERATION OF NUCLEAR FACILITIES, AIRCRAFT
* NAVIGATION OR COMMUNICATION SYSTEMS, AIR TRAFFIC CONTROL, DIRECT LIFE
* SUPPORT MACHINES, OR WEAPONS SYSTEMS, IN WHICH THE FAILURE OF THE
* SOFTWARE COULD LEAD DIRECTLY TO DEATH, PERSONAL INJURY, OR SEVERE
* PHYSICAL OR ENVIRONMENTAL DAMAGE ("HIGH RISK ACTIVITIES"). SANJAAL CORPS
* SPECIFICALLY DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY OF FITNESS FOR
* HIGH RISK ACTIVITIES.
*/
}

The following is the output of this program.

Creating a SSL Socket For gmail.com on port 443
Handshaking Complete
Retreived Server's Certificate Chain
2Certifcates Found

====Certificate:1====
-Public Key-
IBMJCE RSA Public Key:
modulus:
1389277832876873571356666518043592958840301961
4484841588144973010697970639414858983523148132
9534201403053163652650041614399012580431188896
6613534551452976904556960325504887413917474247
9732610834836818807768413456552220493393779728
2995776264493758471872994567016039589495619187
148266393693398136695091763161689
public exponent:
65537

-Certificate Type-
 X.509

====Certificate:2====
-Public Key-
IBMJCE RSA Public Key:
modulus:
1494513612029832286788531746732600649152100155
6875517812183589681347610297584960823616053002
5148408068015676874970828987319389099279139710
3120571782332820421837352504363223437781130292
9747517640755906704156786100858256088087223511
8626093670157751685892563822841241263685435061
247717973073679225111084128559129
public exponent:
65537

-Certificate Type-
 X.509

Share