When does SSL Handshake happen?

SSL protocol sits on top of the transport layer but below application layer in the OSI protocol.

So the SSL handshake happens after the accept() method returned, that is, after the TCP connection is

established.

When SSLSockets are first created, no handshaking is done so that applications may first set their communication preferences: what cipher suites to use, whether the socket should be in client or server mode, etc.

The initial handshake on this connection can be initiated in one of three ways:

1. Calling startHandshake which explicitly begins handshakes, or
2. Any attempt to read or write application data on this socket causes an implicit handshake, or
3. A call to getSession tries to set up a session if there is no currently valid session, and an implicit handshake is done.

Posted via email from Progress

SSL, KeyStore and Key password

SSL server socket can be created by:

• Calling SSLServerSocketFactory: SSLServerSocketFactory.getDefault()

The default implementation can be specified in $JREHOME/lib/security/java.security by
ssl.ServerSocketFactory.provider, but by default, it is not specified, instead, a internal
implementation is used( JSSE: com.sun.net.ssl.internal.ssl.SSLServerSocketFactoryImpl)

When this (default) implementation is used, you must specify:
• keystore using javax.net.ssl.keyStore, if not, an empty keystore object will be managed by the KeyManager
  
• keystore passwrod using javax.net.ssl.keyStorePassword
Notice here,for the getDefault() will lead to the default SSLContext, default
KeyManager, default TrustManager. And the most important thing is, you can only
specify the keystore password, there is no way to specify the keys' password
the system properties.

For the SSL Socket created by the calling of getDefault(),the specified Keystore and the keys in the keystore must have the same password.

Only the default implementation and is used, requires the keystore password and the keys' password must be the same.


• Using customized SSLContext to create SSLSocket

For example:

try { KeyStore ks = KeyStore.getInstance("JKS"); ks.load(secureKeyStore.asInputStream(keystorePath), secureKeyStore .getKeyStorePassword()); KeyManagerFactory kmf = KeyManagerFactory.getInstance(algorithm); kmf.init(ks, secureKeyStore.getCertificatePassword()); serverContext = SSLContext.getInstance(PROTOCOL); serverContext.init(kmf.getKeyManagers(), SecureTrustManagerFactory .getTrustManagers(), null); } catch (Exception e) { e.printStackTrace(); throw new Error("Failed to initialize the server-side SSLContext", e); }

In the code above, we may notice, the kmf.init(KeyStore keystore, char[] pass) method accepts two arguments, the second one specifies the password for the key(s) or certificate(s).

Note that only one password is used in this method, so the keystore must use the same
password for all the private keys it stores, and there is no requirements this password must
be the same as the keystore password( but the default implementation requires this).

If the keys in the keystore have different password, the JSSE KeyManagerFactory.init() mehtod will throw UnrecoverableKeyException. Some other implementation may just return the matched key(s), but JSSE does not.

valueOf methods of Short, Integer and Long

This is a very interesting, in the JDK implementation,
any number between -128 and 127, the JDK create a cache :

  
static class valueOfCache {
/**
 * A cache of instances used by {@link Integer#valueOf(int)}
 * and auto-boxing.
 */

 static final Integer[] CACHE = new Integer[256];
 static {
    for(int i=-128; i<=127; i++) {                        
       CACHE[i+128] = new Integer(i);       
    } 
 } 
} 

And the static valueOf() method:

 
/*If it is not necessary to get a new {@code Integer}
*instance,it is recommended to use this method instead
*of the constructor,since it maintains a cache of
*instances which may result in better performance.
*/
public static Integer valueOf(int i) {  
    if (i < -128 || i > 127) {
       return new Integer(i);
    }
    return valueOfCache.CACHE [i+128];
}

Sometime this method gives a better performance,
but there are a lot of debates here.

Hardden Tomcat 5.0/5.5

• Embedded Tomcat 5.0

1. It uses CoyoteConnector, located in src/jakarta-tomcat-catalina\catalina\src\share \org\apache\coyote\tomcat5
2. In CoyoteConnector, it has a public method called initilize(), in this method, ProtocolHandler is instantiated
3. In org.apache.catalina.startup.Embedded class's start() method, it will iterate through all connectors and call their initialize() method,

In Embedded.createConnector(), it creates Connector object, and assign a ServerSocketFactory object to the connector,

//connector created and ServerSocketFactory assigned ( it will be CoyoteServerSocketFactory )

connector = embedded.createConnector((InetAddress)null, port, SSL);

if( SSL ){
if( connector instanceof CoyoteConnector ){
CoyoteConnector cc = (CoyoteConnector)connector;
CoyoteServerSocketFactory cssFactory =(CoyoteServerSocketFactory) cc.getFactory();
cssFactory.setCiphers( DEFAULT_CIPHERS ) ;
}
}
embedded.addConnector(connector);
embedded.start();

5. Because CoyoteConnector has a method called setCiphers(), this method works in Tomcat5.5, but for Tomcat5.0, use CoyoteServerSocketFactory.setCiphers() method

Little Endian and Big Endian

Endianness: is the ordering of individually addressable
sub-units (words, bytes, or even bits) within a longer data
word stored in external memory.
for example, the byte-order


Little Endian and Big Endian

In JNI, if the type is specified using java type, for example,
int a;
Then in JNI, we don't need to convert to little endian for Linux,
only those data in raw byte array, if we need convert them to same
data structure, for those int, short, long... , we need convert
them to local host format( linux is little endian, solaris is big endian)