开发者

java security configuration for ssl

I have the following question on SSL/TLS.

After the server hello, starts the authentication phase of the server.

From various articles/books, it appears that this phase is optional. E.g. in wiki

The server sends its Certificate message (depending on the selected cipher suite, this may be omitted by the server).

But I do not understand what it means to say that it depends on the encryption suite.

So my understanding is either a ServerKeyExchange or a Certificate follows a ServerHello.

So my question is, can the serve开发者_如何学JAVAr authentication be omitted all together?

For example to omit client aunthentication in Tomcat, you just configure the connector to not request it.

How can the server authentication be omitted? Does it depend on the java framework I use, if it supports it?

And what does it mean to omit the server authentication? If the certificate is not send then the ServerKeyExchange becomes mandatory, or usually frameworks allow provisioning of a local public key instead if one wants to by pass-authentication phase for performance or because it does not make any sense?

Or does this depends on the encryption suite somehow, as wiki seems to imply?

NOTE:

I understand that server should always be authenticated. The context of my problem though is a client app and server running on the same machine (and java runtime I guess) so it can be considered safe to bypass server authentication (I think).

Any input is highly welcome!

Thanks!


In TLS/SSL, server authentication is optional. If you choose TLS/SSL cipher suite without authn (such as TLS_NULL_WITH_NULL_NULL (turns off authn and encryption) or TLS_DH_anon_XXXX (use only encryption) in TLS specification), server certificate won't be sent.

TLS/SSL without authn doesn't seem to be supported pure-Java connector. But I think the native-connector with SSLCipherSuite=aNULL supports it.

I don't know it's safe to disable authn, i.e., attacks such as DNS-spoofing might be threats. I think you'd better to use server authn if performance is not problem. Or, turning off TLS/SSL itself might be choice. (Encrypting server-client communication might be meaningless because administrator of the computer can steal certificate files and dump JVM heap.)


Authentication and Encryption are important when data travels across an untrusted network or when one of the endpoints is not trusted. If you application only makes connections on localhost, then Authentication and Encryption aren't important (the fact that your data and application are on locahost implies a trust in localhost).


you can get ssl configuration for tomcat 6 from

http://nayanmali.blogspot.com/

you got whole configuration and how to create keytool and how to generate certificate form that

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜