Re: SSL APIs [ was: Do you have a X509 implementation ? ]

David Brownell -- JavaSoft (db@doppio)
Wed, 12 Mar 1997 10:34:13 -0800

Date: Wed, 12 Mar 1997 10:34:13 -0800
From: db@doppio (David Brownell -- JavaSoft)
Message-Id: <199703121834.KAA01019@argon.eng.sun.com>
To: mkirk@cisco.com
Subject: Re: SSL APIs [ was: Do you have a X509 implementation ? ]

> Well the obvious feedback is that we need the client authentication and the
> security context to be sorted out.

It's coming.

> What is the 'basic policy validation' done on certificate chains when they
> are created, is there an interface to set the policy ?

The policy isn't settable; it's just that the signatures check
out and that the certificates haven't expired.

> What if an SSLSocket
> wants to specify it's own policy for authentication the server ?

That policy granularity isn't supported; AuthContext.setTrustDecider()
is the policy hook for "who do you trust", and it affects both client
and server side trust decisions.

> I'm not sure what the point of getEnabledCipherSuites and
> setEnabledCipherSuites is. All the SSLSocket constructors presumably
> establish the SSL connection. There isn't a setActiveCipherSuite so
> you can't change the CipherSuite on an established connection, what
> then, is the use of setting the Enabled Cipher Suites ?

Did you look at the API overview information? Javadocs don't ever
capture all you need to know about an API ...

The active suite is the result of a negotiation between the client
and the server, so "setActiveCipherSuite" would make not much sense;
you'd "setEnabledCipherSuites" and then do the SSL negotiation (for
example, by sending the first data on the connection). Then you'd
call "getActiveCipherSuite" to see which cipher suite (if any) was
supported by both the client and the server.

- Dave