Do Java SSLSockets require a supplied SSL Certificate?

Question

In HTTPS technology, an SSL certificate is required for a secure connection. This certificate must be acquired through self-generation, or through a certificate authority (CA).

In Java, an SSLSocket to SSLSocket connection promises the same security as an HTTPS connection (No man-in-the-middle, encryption, etc).

When connecting two SSLSockets instantiated in two separate, stand-alone Java programs (One client, one server), is it necessary to supply Java (The server) with a valid certificate?

What are the methods used to specify which certificate to use? The documentation doesn't seem to have anything to say about this.

I'm talking about pure Java here. I'm not talking about using Java to connect to a web service via HTTPS.

The purpose of these sockets is to send user names and passwords from one Java application (The client) to another (The server) for identity verification purposes, so it is imperative that they are as secure as possible.

Answer 1

When connecting two SSLSockets instantiated in two separate, stand-alone Java programs (One client, one server), is it necessary to supply Java (The server) with a valid certificate?

In normal usage the server (the end with the SSLServerSocket) needs a certificate that is trusted by the peer.

The client only needs a certificate if the server is configured to require it, which is not the default.

What are the methods used to specify which certificate to use? The documentation doesn't seem to have anything to say about this.

See the JSSE Reference Guide. You can do this via system properties. You can also write a foot or so of code, but it isn't necessary.

Answer 2

In HTTPS technology, an SSL certificate is required for a secure connection. This certificate must be acquired through self-generation, or through a certificate authority (CA). In Java, an SSLSocket to SSLSocket connection promises the same security as an HTTPS connection (No man-in-the-middle, encryption, etc).

No : HTTPS = HTTP traffic going through an SSL socket.

When connecting two SSLSockets instantiated in two separate, stand-alone Java programs (One client, one server), is it necessary to supply Java (The server) with a valid certificate? Yes - Certificate and private key. If you want two way SSL, client would also need its own set of key/cert

What are the methods used to specify which certificate to use? The documentation doesn't seem to have anything to say about this.

There's a lot of ground to cover. I'm not sure how much you already know, the things that you need to read up on include keytool, KeyStore, SSLContext, SSLServerSocketFactory, KeyManager.

Or you could directly go to examples like this

Answer 3

If you want to have a secure encryption you need to have either a pre-shared key only known to both parties or you have to do some kind of key exchange to compute the encryption key. Key Exchange requires proper identification, otherwise a man-in-the-middle attack would be possible and you would not have secure end-to-end encryption anymore.

For use of pre-shared key look out for TLS-PSK. When googling for it it looks like that there are some hits for Android implementations but mostly it is people asking if it is possible. It might be possible to do this with the alternative SSL implementation BouncyCastle.

If not using PSK you might try to use anonymous ciphers (ADH). I don't know if they are supported by Java but in any case you would still need to have some kind of identification to make sure you are talking to the expected server.

And then there are of course certificates. You might use self-signed certificates together with public key pinning if you don't want to use public certificates for your application.