FAQ - JSSE 1.0.3 for CDC 1.0.2
Q. What does Java Secure Socket Extension 1.0.3 for Connected Device Configuration 1.0.2 (JSSE for CDC) do?
A. JSSE for CDC implements a Java ME version of SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols to provide for secure Internet communications.
Q. What is the difference between JSSE 1.0.3 for CDC 1.0.2 and JSSE 1.0.3 for the Java SE platform?
A. JSSE for CDC (JSSE 1.0.3) is built from the same source base as JSSE for Java 2 Standard Edition (J2SE). However, JSSE for CDC has been qualified for the Java ME platform CDC 1.0.2. The JSSE for CDC RI can not be used with later versions of the CDC RI.
Q. Why should I be interested in JSSE for CDC?
A. JSSE for CDC enables developers to utilize secure, encrypted communications channels in their applications. It simplifies application development by serving as a building block which developers can integrate directly into their applications. By abstracting the complex underlying security algorithms and "handshaking" mechanisms, JSSE for CDC minimizes the risk of creating subtle but dangerous security vulnerabilities.
Q. Is JSSE for CDC a reference implementation of the specification or a commercial product?
A. Sun's JSSE 1.0.3 for CDC 1.0.2 is a reference implementation. It is intended to familiarize developers with the APIs and the technology and is used to demonstrate that the specification is implementable and that compatibility tests can be executed against it.
Q. What is the U.S. Department of Commerce Bureau of Export Affairs classification of JSSE 1.0.3 for CDC 1.0.2?
A. JSSE 1.0.3 for CDC 1.0.2 has been classified as an ENC/Retail product by the U.S. Department of Commerce Bureau of Export Affairs. This license exception means that JSSE for CDC may be freely exported, without any additional approval, with strong encryption, to all parties except for those specifically prohibited.
Q. I read that the US Government has relaxed the export restrictions on encryption products. Can the JSSE 1.0.3 for CDC 1.0.2 reference implementation be downloaded by any organization, anywhere?
A. While there has been some relaxation in the export requirements, there are many restrictions still in place for strong encryption products. Go to http://www.epic.org/crypto/export_controls/regs_1_00.html for the complete 33 page report. In addition, some countries may have import restrictions. Note also that a vendor's product status is dependent on the type of application they have with the US government. JSSE 1.0.3 for CDC 1.0.2 has been classified as ENC/Retail. Contrary to some articles in the press, export of encryption technology is still a complicated, multi-dimensional issue. You are advised to consult your export/import control counsel or attorney to determine the exact requirements.
Q. Now that the export requirements have been relaxed, can I download the JSSE 1.0.3 for CDC 1.0.2 reference implementation if I'm in a country that has been subject to a US Government embargo?
A. No. Even with an ENC/Retail classification, the countries on the US Government embargo list may not receive ANY US-developed encryption items. In addition, prohibited parties are also not allowed to receive this kind of software. Also, it is Sun company policy to not ship products to Burma.
Q. I'm located in the US or Canada. What encryption strength products can I download?
A. If you are located in the US or Canada, you can download the 128 bit strength domestic JSSE 1.0.3 for CDC 1.0.2 reference implementation.
Q. I'm located outside of the US and Canada. What encryption strength products can I download?
A. If you are located outside of the US or Canada, you can download the 128 bit strength global JSSE 1.0.3 for CDC 1.0.2 reference implementation. (This assumes you are not an embargoed nation or a prohibited party.)
Q. Since both the domestic and global version of JSSE 1.0.3 for CDC 1.0.2 have strong encryption, why do you have two versions?
A. There are two versions to comply with the approved application Sun received from the U.S. Department of Commerce Bureau of Export Affairs. The domestic version supports alternate SSL security providers; the global version supports only the Sun SSL provider.
Q. What versions of the Java ME CDC platform does JSSE 1.0.3 for CDC 1.0.2 support?
A. The CDC 1.0.2 Reference Implementation is the only supported version.
Q. Does the reference implementation have the ability to do RSA encryption?
A. Yes, JSSE 1.0.3 for CDC 1.0.2 contains RSA encryption. However, this algorithm is not available to the applications using the Java Cryptography Extension (JCE) API.
Q. What standard(s) does JSSE 1.0.3 for CDC 1.0.2 follow?
A. JSSE 1.0.3 for CDC 1.0.2 provides Secure Sockets Layer (SSL) v3 and Transport Layer Security (TLS) 1.0 support to the CDC 1.0.2 platform.
Q. What versions of SSL are supported? What versions of TLS are supported?
A. JSSE for CDC supports SSL version 3. It is widely available and generally believed to be more secure than version 2. SSL was originally developed by Netscape. You can find out more about SSL by looking at Apache SSL information or the SSL 3.0 Protocol Internet Draft. JSSE for CDC supports TLS version 1, which can be found at http://www.ietf.org/rfc/rfc2246.txt?number=2246.
Q. Is the reference implementation of JSSE for CDC written in the Java TM programming language?
A. Yes, the reference implementation is completely written in the Java programming language.
Q. Is there any sample source code available?
A. Sample source code, including directions for running the sample code, is provided with the JSSE 1.0.3 for CDC 1.0.2 distribution.
Q. It seems the first SSL connection takes longer than subsequent connections. Is there anything I can do to improve the performance of the first connection?
A. The SSL Context needs a
java.security.SecureRandomobject. It is expensive to seed a SecureRandom object. You should see better performance for the first connection if you can provide a pre-seeded SecureRandom object when initializing the SSLContext. However, extreme care should be taken in such action as seeding is an important aspect of cryptographic effectiveness.Q. What troubleshooting tips can you provide?
A. Troubleshooting Tips:
JSSE for CDC Package Not Found During Compilation
Problem: When compiling a program that uses the JSSE 1.0.3 for CDC 1.0.2 packages, one of the following errors occurs:
Package com.sun.net.ssl not found in import. Package javax.net not found in import. Package javax.net.ssl not found in import. Package javax.security.cert not found in import.Cause: The JSSE for CDC JAR files are not installed with J2SE.
Solution: JSSE for CDC is meant to be installed with an instance of Java ME, as described in the downloaded documentation at
docs/install/install.html. When compiled withjavac, which comes from a J2SE installation, the command line should include the JSSE for CDC JAR files on the classpath, using the-classpathoption.Runtime Exception: SSL Service Not Available
Problem: When running a program that uses JSSE 1.0.3 for CDC 1.0.2, an exception occurs indicating that an SSL service is not available. For example, an exception similar to one of the following occurs:
Exception in thread "main" java.net.SocketException: no SSL Server Sockets Exception in thread "main": SSL implementation not availableCause 1: The cryptographic service provider is not registered properly.
Solution 1: Before using JSSE 1.0.3 for CDC 1.0.2, you must register the
SunJSSEprovider, either statically by modifying thejava.securityfile or dynamically by calling theSecurity.addProvidermethod, as described in the downloaded documentation atdocs/install/install.html.Cause 2: There was a problem with
SSLContextinitialization, for example due to a corrupted keystore. (Note: One vendor has shipped a keystore in an unknown format, and that may cause this type of error.)Solution 2: Check initialization parameters. Ensure any keystores specified are valid (e.g., by trying to use the J2SE keytool to examine them).
Runtime Exception: untrusted cert chains
Problem: When negotiating an SSL connection, the client or server throws one of the following exceptions:
javax.net.ssl.SSLException: untrusted server cert chain javax.net.ssl.SSLException: untrusted client cert chainCause 1: This is generally caused by the remote side sending a certificate that is unknown to the local side.
Solution 1: The best way to debug this type of problem is to turn on debugging and watch as certificates are loaded and when certificates are received via the network connection. Most likely, the received certificate is unknown to the trust mechanism because the wrong trust file was loaded.
Cause 2: The system clock is not set correctly.
Solution 2: If the clock is not set correctly, the perceived time may be outside the validity period on one of the certificates, and unless the certificate can be replaced with a valid one from a trust store, the system must assume that the certificate is invalid, and therefore throw the exception.
Runtime Exception: Class Definition Not Found
Problem: When running a program that uses JSSE 1.0.3 for CDC 1.0.2, an exception occurs indicating that a JSSE class definition cannot be found. For example, an exception similar to the following occurs:
Exception in thread "main" java.lang.NoClassDefFoundError: javax/net/ssl/SSLServerSocketFactoryCause: The JSSE for CDC JAR files are not on the class path.
Solution: Ensure that the JSSE for CDC JAR files (
jcert.jar,jnet.jar, andjsse.jar) are explicitly named on the class path.Runtime Exception: No Cipher Suites in Common
Problem: When using Netscape Navigator or Microsoft Internet Explorer (IE) to access files on a server that only has DSA-based certificates, a runtime exception occurs indicating that there are no cipher suites in common.
Cause: By default, certificates created with keytool use DSA public keys. Navigator and IE do not use DSA public keys in their enabled cipher suites.
Solution: To interact with Navigator or IE, you should create certificates that use RSA-based keys. To do this, you need to specify the
-keyalgRSA option when using the J2SEkeytool. For example:keytool -genkey -alias duke -keystore testkeys -keyalg rsa