Q: What does JSSE 1.0.1 do in simple terms?
A: JSSE implements a Java version of SSL (Secure Socket Layer) and TLS (Transport Layer Security) protocols to provide for secure Internet communications.
Using JSSE, developers can provide for the passage of secure data between a client and a server running any application protocol (such as HTTP, Telnet, NNTP, and FTP) over TCP/IP. JSSE will enable data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection.
Q: Where does JSSE fit in the Java Security Architecture
A: JSSE is the latest development in the Java Security Architecture, building upon the javax.security package in the core SDK, the Java Cryptography Extension (JCE), and the Java Security Tools. Whereas JCE provides developers the framework to use encryption directly in their applications, JSSE provides secure internet communications at a higher level of abstraction than the actual encryption mechanisms.
Q: What does Secure Sockets Layer (SSL) do?
A: SSL is a public-key-based network security protocol widely used to authenticate, privacy-protect, and ensure message integrity of transactions made over the Internet.
Q: Why should I be interested in JSSE API, JSSE 1.0.1 and commercial versions of JSSE?
A: JSSE enables developers to utilize secure, encrypted communications channels in their applications. It simplifies application development by serving as a building block which developers can integrate directly into their applications. Furthermore, by abstracting the complex underlying security algorithms and "handshaking" mechanisms, JSSE minimizes the risk of creating dangerous but subtle security vulnerabilities.
Q: Is the Java Secure Sockets Extension implementation a reference implementation of the specification or a commercial product?
A: The Java Secure Sockets Extension implementation is a reference implementation. It is intended to familiarize developers with the API and the technology before they make their choice about commercial implementations. More information on commercial implementations will be forthcoming.
Q: What will JSSE 1.0.1 cost?
A: The final release version of the JSSE 1.0.1 reference implementation binary code will be free for commercial use and redistribution. See the license and legal documents for details when you download the code.
Q: What is the schedule?
A: JSSE 1.0 was FCSed in December 1999. We have targeted the JSSE 1.0.1 release for Q1 calendar year 2000.
Q: Is JSSE under US export control restrictions?
A: Yes, JSSE is export restricted and cannot be shipped outside the United States and Canada.
Q: What versions of the JDK does JSSE support?
A: The JSSE API is implementable on either JKD 1.1x or Java 2 while the reference implementation supports only Java 2 SDK, Standard Edition, version 1.2.
Q: What standard does JSSE 1.0.1 follow?
A: JSSE 1.0.1 provides Secure Sockets Layer (SSL) 3.0 protocol and Transport Layer Security (TLS) 1.0 support to the Java 2 Platform.
Q: What is the difference between SSL and JSSE?
A: The JSSE ( JavaSecure Socket Extension) API is the official standard extension that implements SSL in Java. JSSE will be publicly available as an API specification and as a stand-alone reference implementation. The JSSE APIs are virtually unchanged from SSL.
Q: Will there be additional releases of the Java Secure Sockets Extension specification?
A: Yes. Sun is committed to its stewardship of the Java Secure Sockets API, and we will continue to follow the Java Community processed link as we develop the specification in the future.
Q: Is the reference implementation of JSSE written in the Java language?
A: Yes the reference implementation is written in the Java language.
Q: Does the reference Implementation have the ability to do RSA encryption?
A: Yes, JSSE 1.0.1 contains RSA encryption.
Q: What version of SSL do you support?
A: We support SSL version 3 since we keep thinking that Version 2 will go away. Version 3 is widely available and believed to be more secure than version 2.
Q: Something is not working. How can I debug what is going wrong?
A: Use the dynamic debug tracing support. This is similar to that used for debugging access control failures in Java 2. You can configure this via the javax.net.debug system property. A value of "help" will dump out the various options.
Q: It seems the first SSL connection takes longer time than subsequent connections. Is there anything I can do to improve the performance of the first connection?
A: The SSLContext needs a java.security.SecureRandom object. It is expensive to seed a SecureRandom object. You should see better performance for the first connection if you can provide a pre-seeded SecureRandom object when initializing the SSLContext.