Re: DSA certificates/SSLSocket.

David Brownell (db@Eng)
Wed, 30 Sep 1998 10:53:59 -0700

Jeff Nisewanger wrote:
>
> > since there is support for doing DHE with DSS- there has to be a way of
> > associating a DSA certificate with an SSL connection (unless client
> > authentication at the server is unsupported - highly unlikely!)
> >
> > Could someone send me a link, a code snippet on how to associate a DSA
> > certificate with an SSL (connection) Socket?
>
> HotJava Browser's SSL supports connecting to servers which
> authenticate themselves using DSA certificates via the SSL_DHE_DSS_XXX
> cipher suites which you list above.

And the SSL subsystem in the browser also supports client authentication
internally, as well as that server authentication ...

> HotJava Browser currently does not
> support SSL client authentication so there is no supported way of
> setting up a client DSA or RSA certificate on the client side and using
> that to authenticate with the server.

"No supported way" is the critical phrase. Although the SSL subsystem
supports authentication of either end, that facility isn't supported
except for licencees of the SSL source code. (It relies on a "login"
facility to securely associate the private keys with certificate chains,
and also CA and certificate management support as needed to make it
all work. Some such infrastructure is now public in JDK 1.2; not all.)

So for example if you use SSL in a product like the Java Web Server
(uses the same SSL package!), that uses the "login" facility so that
client authentication works between servers. It also uses the CA and
certificate management infrastructure (with a nasty UI!) to let you
establish whose authentication you trust. HotJava only does some of
the latter part, none of the former.

At this time I understand that Sun doesn't ship the SSL subsystem as
a binary product, to be used outside of those products. That is, I
think, how you're trying to use this package.

- Dave

> One possibility would be to use
> a DSA certificate on the server side and then authenticate the client,
> if needed, through a traditional password-based approach.
>
> Jeff