Not-Yet-Commons-SSL currently has NO affiliation with the Apache Software Foundation (apache.org), but we're hoping to start Incubation one day.
Current Version (November 14th, 2007): | ||||
---|---|---|---|---|
Full source: | not-yet-commons-ssl-0.3.9.zip | 2.3MB | Alpha | MD5: 8063831d05fc6204a7c0c23a0f86b086 |
Binary only: | not-yet-commons-ssl-0.3.9.jar | 189KB | Alpha | MD5: |
Previous Version (July 4th, 2007): | ||||
Full source: | not-yet-commons-ssl-0.3.8.zip | 2.3MB | Alpha | MD5: 6c709837f9fef310a69f8659f1697c81 |
Binary only: | not-yet-commons-ssl-0.3.8.jar | 189KB | Alpha | MD5: 34996468b477e3a6c81d7feec213288b |
Future versions will definitely break the current API in a non-reverse compatible way. After commons-ssl-0.5.0, though, we plan on always being reverse compatible with ourselves.
openssl enc -K [key] -iv [IV]
.SSLClient client = new SSLClient(); client.addAllowedName( "www.cucbc.com" ); Socket s = client.createSocket( "cucbc.com", 443 );This technique is also useful if you don't want to use DNS, and want to connect using the IP address.
SSLClient server = new SSLServer(); server.useTomcatSSLMaterial();
java.lang.RuntimeException: Export restriction: this JSSE implementation is non-pluggable. at com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl.checkCreate(DashoA6275) at sun.net.www.protocol.https.HttpsClient.afterConnect(DashoA6275) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(DashoA6275) at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:560) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(DashoA6275)Silly Java - I'm still using your JSSE implementation, I'm just wrapping it!
"javax.net.ssl.keyStore"
and "javax.net.ssl.trustStore"
ssl.setCheckCRL( true/false )
Note: CRL is an abbreviation for "Certificate Revocation List"true
by default. If you're using SSLClient, then the remote
server's certificate chain is checked. If you're using SSLServer, CRL checking is ignored unless
client certificates are presented. Commons-SSL tries to perform the CRL check against each certificate in
the chain, but we're not sure if we always know the entire chain.
Implementation note:
To reduce memory consumption all CRL's are saved to disk using
File.createTempFile()
and File.deleteOnExit()
.
CRL's are re-downloaded every 24 hours. To reduce disk IO
the "pass/fail" result of a CRL check for a given X.509 Certificate is cached using the 20 byte SHA1 hash of the
certificate as the key. The cached "pass" result is discarded every 24 hours. The cached "fail" result is retained
until the JVM restarts.
ssl.setCheckExpiry( true/false )
ssl.setCheckHostname( true/false )
Support added for certificates with wildcards in the CN field (e.g. *.credential.com). Java already had this, to be fair. We broke it by accident!
s: CN=*.credential.com, OU=Domain Control Validated - RapidSSL(R), OU=See www.rapidssl.com/cps (c)05, OU=businessprofile.geotrust.com/get.jsp?GT27402892, O=*.credential.com, C=CA i: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
KeyStoreBuilder
"java -cp commons-ssl-0.3.4.jar org.apache.commons.ssl.KeyStoreBuilder
0.3.10 - 0.3.11 are just some feature ideas. They might not be feasible. 0.3.9 is the current version.
Version | Release Date? | Description |
---|---|---|
0.3.4 | Nov 2006 | 90% feature complete. Probably contains some bugs. |
0.3.5 | Dec 2006 | PKCS8Key constructor is public now. Whoops. Hostname verification knows about more than just CN's now - also checks subjectAlts in the server's certificate. |
0.3.6 | Jan 2007 | Fixed Java 1.4 bug with HttpsURLConnection. |
0.3.7 | Feb 2007 | 40 bit and 56 bit ciphers disabled by default. RMI-SSL improved. getSSLContext() added. Various other improvements. |
0.3.8 | Nov 2007 | PBE (password-based-encryption) formally introduced and improved. 40 bit and 56 bit ciphers still disabled by default, but working better when re-enabled. |
0.3.9 | May 2008 | Some PBE fixes. Using latest ASN.1 code from BouncyCastle. |
0.3.10 | May 2008 |
Socket monitoring. Make it easier for long-running server applications to warn about impending certificate expiries. OCSP - Online Certificate Status Protocol NotQuiteSoEasySSLProtocolSocketFactory will trust any server The First Time, and store that server's cert on disk for future accesses. |
0.3.11 | Jun 2008 | TrustMaterial.setAutoReload( true / false ) , and KeyMaterial.setAutoReload( true / false ) ,
but only if no password, or "changeit" was provided. (Question: should this "reload" tear down all open sockets?).
|
0.4.0 | Jul 2008 | Non-public code (protected, private, etc) moved into a separate "impl" package where possible. |
0.5.0 | Aug 2008 | API froven. All future versions must be reverse-compatible with 0.5.0 (except for any parts of 0.5.0 later found to be insecure). |
0.7.0 | Nov 2008 | JavaDocs written for all public methods and classes. |
0.7.5 | Mar 2009 | JUnit tests written for all classes. |
0.9.0 | May 2009 | First BETA release. JUnit tests passing on all targetted platforms:
|
0.9.1 - 0.9.9 | Aug 2009 | Bug fixes. |
1.0.0 | Jan 2010 | Development mostly stops. |
The problem we're solving with Commons-SSL is quite small, so I don't see any reason to ever go beyond 1.0.0, except for fixing bugs.