Opening SSL TCP socket and sending web requests

Question

I have a requirement to open a tcp socket and authenticate using SSLv3 or TLSv1 IP protocol using X.509 digital certificate.

What does this handshake process involve exactly? I know the each message should be encrypted and signed with my private key. What else?

After successful I've to send POST HTTP requests over the socket.

The server may decide to close this socket if inactive after some time. I need to be able to re-open, authenticate and send requests again.

The certificate given to me is in PKCS12 format with the following information.

Certificate Identification ,Certificate Public Key ,Certificate Private Key ,Certification Authority Chain

I'm fairly new to SSL can someone please provide pointers to how to go about implementing this in java or spring integration.

Answer 1

A good start is to see the javax.net.ssl.HttpsURLConnection javadocs: http://download.oracle.com/docs/cd/E17476_01/javase/1.4.2/docs/api/javax/net/ssl/HttpsURLConnection.html

Also you gonna need to use the keytool command to import the certificate into a keystore.

Answer 2

You don't need to know about the handshake, it is all done for you. Read the JSSE Reference as suggested to see what you +do+ have to worry about.

Answer 3

Regarding TLS/SSL details, for client-certificate authentication, compared with the "normal" hanshake, the server sends an extra CertificateRequest TLS message to the client, which responds with its certificate in a subsequent Certificate TLS message (later on, the client sends a CertificateVerify TLS message where it signs the other messages with its private key, so as to prove to the server that it does indeed have the private key for the public key in the certificate it sent.) Note that, once the handshake has finished, the messages are not encrypted with your private key, but with ephemeral keys shared with the server (agreeing on those keys confidentially is part of the handshake too).

In practice, you need a certificate and its private key, contained in the PKCS#12 file (for example) and to configure the client to send it when connecting to the server (the server will ask for it according to its configuration). It's easier to assume you'll only need one certificate and won't have to make a choice between a number of certificates, otherwise, you need to set up your own X509TrustManager within the SSLContext.

If all your connections are likely to use this certificate, you may use the default settings, which HttpsURLConnection (and the default SSLSocketFactory) will pick up. This can be done by:

• setting the javax.net.ssl.keyStore, javax.net.ssl.keyStoreType and javax.net.ssl.keyStorePassword system properties on the command line with your settings. I would recommend against that because someone else on the machine could potentially see the command line and your settings by listing the processes (depending on the configuration of the machine),
• setting those system properties within your application,
• initialising an SSLContext and setting it as the default one via SSLContext.setDefault(..) (Java 6).

Note that .p12 (PKCS#12) files are a supported keystore out of the box, so you don't need to do any conversion with keytool, just use PKCS12 as the store type.

If you need these settings or, you may initialise an SSLContext, create an SSLSocketFactory from it and then configure the instance of HttpsURLConnection (if that's what you're using) with setSSLSocketFactory.

(You may be able to use tools like jSSLutils to help build the SSLContext.)