JavaTM Secure Socket Extension (JSSE)
Reference Guide
for JavaTM Platform Standard Edition 6
Appendix A: Standard Names
Appendix B: Provider Pluggability
Data that travels across a network can easily be accessed by someone who is not the intended recipient. When the data includes private information, such as passwords and credit card numbers, steps must be taken to make the data unintelligible to unauthorized
parties. It is also important to ensure the data has not been modified, either intentionally or unintentionally, during transport. The Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols were designed to help protect the privacy and integrity
of data while it is transferred across a network.
The Java Secure Socket Extension (JSSE) enables secure Internet communications. It provides a framework and an implementation for a Java version of the SSL and TLS protocols and includes functionality for data encryption,
server authentication, message integrity, and optional client authentication. Using JSSE, developers can provide for the secure passage of data between a client and a server running any application protocol, such as Hypertext Transfer Protocol (HTTP), Telnet,
or FTP, over TCP/IP. (For an introduction to SSL, see Secure Sockets Layer (SSL) Protocol Overview.)
By abstracting the complex underlying security algorithms and "handshaking" mechanisms, JSSE minimizes the risk of creating subtle, but dangerous security vulnerabilities. Furthermore, it simplifies application
development by serving as a building block which developers can integrate directly into their applications.
JSSE was previously an an optional package to the JavaTM 2 SDK, Standard Edition (J2SDK), v 1.3. JSSE was integrated into the Java TM Standard
Edition Development Kit starting with J2SDK 1.4.
JSSE provides both an application programming interface (API) framework and an implementation of that API. The JSSE API supplements the "core" network and cryptographic services defined by the java.security andjava.net packages
by providing extended networking socket classes, trust managers, key managers, SSLContexts, and a socket factory framework for encapsulating socket creation behavior. Because the socket APIs were based on a blocking I/O model, in JDK 5.0, a non-blocking SSLEngineAPI
was introduced to allow implementations to choose their own I/O methods.
The JSSE API is capable of supporting SSL versions 2.0 and 3.0 and Transport Layer Security (TLS) 1.0. These security protocols encapsulate a normal bidirectional stream socket and the JSSE API adds transparent
support for authentication, encryption, and integrity protection. The JSSE implementation shipped with Sun's JRE supports SSL 3.0 and TLS 1.0. It does not implement SSL 2.0.
As mentioned above, JSSE is a security component of the Java SE 6 platform, and is based on the same design
principles found elsewhere in the Java Cryptography Architecture (JCA) framework. This framework for cryptography-related security components allows them to have implementation independence and, whenever possible, algorithm independence. JSSE uses the
same "provider" architecture defined in the JCA.
Other security components in the Java SE 6 platform include the Java Authentication and Authorization Service (JAAS),
and the Java Security Tools. JSSE encompasses many of the same concepts and algorithms as those in JCE but automatically applies them underneath
a simple stream socket API.
The JSSE APIs were designed to allow other SSL/TLS protocol and Public Key Infrastructure (PKI) implementations to be plugged in seamlessly. Developers can also provide alternate logic for determining if remote
hosts should be trusted or what authentication key material should be sent to a remote host.
Features and Benefits
JSSE includes the following important features:
Included as a standard component of JRE 1.4 and later
Extensible, provider based architecture
Implemented in 100% Pure Java
Provides API support for SSL versions 2.0 and 3.0, TLS 1.0 and later; and an implementation of SSL 3.0 and TLS 1.0
Includes classes that can be instantiated to create secure channels (SSLSocket, SSLServerSocket,
and SSLEngine)
Provides support for cipher suite negotiation, which is part of the
SSL handshaking used to initiate or verify secure communications
Provides support for client and server authentication, which is part of the normal SSL handshaking
Provides support for Hypertext Transfer Protocol (HTTP) encapsulated in the SSL protocol (HTTPS), which allows access to data such as web pages using HTTPS
Provides server session management APIs to manage memory-resident SSL sessions
Provides support for several cryptographic algorithms commonly used in cipher suites, including those listed in the following table:
Cryptographic Functionality Available With JSSE
Cryptographic Algorithm *