tags:

views:

617

answers:

3
Q: 

Java SSL renegotiation (from SSL to clear channel)

I'm doing something in Java SE that would require me to use SSL in an unusual way.
The required steps would be something like:

  • Establish an SSL session;
  • Exchange some private information;
  • Renegotiate connection parameters to stop using cryptographic operations.

I haven't found in the Java API a way to to this. I believe that the problem solution would somehow be addressed by using the session renegotiation but with a cipher suite with no cryptographic operations, but there isn't such an option; or to access the underling socket and bypass cryptographic operations.

Are any of these options possible? Do you believe that such functionality would be available in other languages and frameworks (C, PHP, Ruby, .NET, Perl, Python, etc.)?

Thanks for the help,
Luís M. Costa

+2  A: 

You could do something like this in Java, but it's definitely not standard. I can't vouch for other platforms having the necessary support for this.

The JSSE provides support for transport-independent SSL with the SSLEngine. You could use this to temporarily "decorate" a socket with SSL, then turn it off when you are done and use the raw socket IO directly.

I can't guess why you'd want to turn off SSL once you had gone to the expense of negotiating the SSL session. If it is for the sake of performance, you can renegotiate the cipher suite to use "NULL" confidentiality and integrity protocols, as long as both parties allow it. You'd still have a little overhead in the SSL record layer. However, the overhead of SSL after the session parameters have been negotiated is extremely low. If your application is that sensitive to this overhead, you might want to consider dedicated SSL hardware.

erickson  2009-05-01 17:19:58
I have to agree and stress that the real overhead of SSL is all in the negotiation; it takes very little work to perform the symmetric encryption/decryption on the actual data that is moved across the link.
Software Monkey  2009-05-02 06:51:48
A: 

Why not just drop the connection and reconnect? There would be less overhead in establishing a TCP connection that in renegotiating SSL.

Software Monkey  2009-05-02 06:52:44
A: 

One reason to turn off SSL on the existing socket is for implementing the FTP clear control channel (CCC) command (FTP over TLS). This switches the control channel back to cleartext so that firewalls can see the dynamic port request.

tbond  2009-11-12 14:20:25

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java