tags:

views:

289

answers:

1
+1  Q: 

SSL HandShake on Java Client

I have a very basic doubt in SSL HandShake. Assume that we have a server S which uses self signed certificates. I write a Java client C which connects to the S. When C connects to S, C gets certificates from S and saves them to its truststore and the remaining part of the communication proceeds. After some time I use the same C to connect to the S, so will S send the certificates again to C, or C will use the certificates already stored in truststore. I am not good in SSL and underlying implementation of Truststore functionality in Java.

Will S send the certificates to C invariable of whether the C has certificates on its truststore?? I believe that if I have certificates in truststore C trusts S and C will not ask for certificates when I connect again?? Is my assumption right??

Is the process same for self-signed certificates and CA certificates??

Thanks in advance.

+1  A: 

This is my understanding of SSL, I am not an expert in the subject, but in the absence of other answers hopefully I can at least give you some things to think about.

When you create a self signed certificate for the server you need to add this to the client somehow, it doesn't get installed as soon as the client connects, otherwise any server could just become trusted by sending a self signed certificate to anything that tries to connect to it. In my application the server certificate is loaded into the truststore of the client when it is started up by specifying javax.net.ssl.truststore("path/to/server/cert");

Now, when the client connects to the server the handshake takes place. At this point the server will send it's certificate to the client and the client will confirm that it has in fact come from the server by checking it against its truststore (at this point it doesn't matter if it is self-signed or not, because the client should check the root certificates as well as any you have added). If the certificate sent by the server checks out the communication continues and data is shared.

There is some form of session behvaiour that takes place that allows the communication to proceed without having to exchange certificates every time. But I believe this is limited to the single connection, so as soon as you close the connection and create a new one the process has to be repeated, i.e. the server has to send its certificate for validation again.

So in summary: the self-signed server certificate has to be installed on the client outwith the SSL communication (like how root CA certificates are installed in a product from the start). Every SSL connection made between client and server will require the server to send its certificate to the client so that it can check it against its truststore.

It is possible that the server will allow for sessions to be resumed, in which case the certificate will not be resent (but I am not sure under what conditions a session can be resumed, perhaps that is configurable on different servers).

Hope this at least gives you something to think about.

DaveJohnston  2010-04-23 14:58:37
That's pretty good. The resumption capability is not tied to connections; it usually simply a matter of the session having a certain lifetime, commonly five minutes, during which new SSL connections between the same SSL peers can reuse the master secret generated in the beginning.
GregS  2010-04-24 00:55:06
I wrote a https simulator in java. I was able to simulate 12000 - 15000 requests in 15 secs using self-signed certificates. But it takes 3 mins using CA certificates? I really do not understand why this happens.Is there any subtle difference in the handling of self signed versus CA certificates?
JKV  2010-04-26 11:28:47
I don't think there is any difference in the way they are handled, but there could be differences in the certificates themselves. Perhaps the key size used in the self signed certificate is shorter than the CA certificates? The CA certificates could have a long chain of certificates, so in order to verify the client certificate it has to look through a longer list of trusted certificates.There are ways to look at these things using openssl I think.
DaveJohnston  2010-04-27 08:58:03

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java