SSL support for Java

Hi All,
Bascially my problem is like this, I have an applet which needs to call a cgi
script on the server, now everything is working alright, except that I need to
secure the data transfer between the applet and the cgi script. I can setup a SSL module on the server side, which is in fact a RedHat with Apache. The CGI
script is written in C, and I'd had a hard time implementing a decryption
module on the server side, therefore I decide to use normal HTTPS protocol to speed things up.

So do you know any SSL package in java that you HAVE USED and is good enough to solve my problem?

I've looked around the web for such a package, and found Icesoft's package is for this purpose. But when I tried it, I always get "IOExeception: This certificate has expired." error. I don't know whether this is related to their product bugs or anything else. I tried to contact their tech support, but got no reply at all, and now I am turning away from them. I don't know much about this "certificate" stuff, so if you would give me some pointers why I got this error, I greatly appreciate it.

My basic requirement about such a package is like this:

1)it'd be best for it to be able to compile under JDK1.0.2 since my applet is developed under this version.

2)The size of the package should be as small as possible, it'd be best not larger than around 20K.

3)the package should either provide a pure SSLSocket class or more better with a HTTPSURLConnection class, or something like this.

If you've done any projects like this kind, please give me some help.

Thanks in advance.

3)
lll888Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lll888Author Commented:
Adjusted points to 143
0
lll888Author Commented:
sorry, I don't have enough points for this one, now I get 0 points left. So please help...
0
vladi21Commented:
look:

Can Java applet post to an SSL enabled server?
Yes. All you need to do is post to the "https://" URL. You don't need to have packages such as SSLava. The URLConnection class will say that https is an unknown protocol if the applet is run in the appletviewer, but it will do the right thing if run inside the Navigator.

Do I need to sign my classes to do out of SandBox operation, when they are servered from https server?
There is no need to sign the classes if they are served from an SSL enabled server (https) server, but you need to make PrivilegeManager.enableprivilege() calls with appropriate target (even System Classes do this) for doing out of SandBox operations.

http://java.sun.com/security/ssl/API_users_guide.html 

http://search.java.sun.com/query.html?col=jsun&pw=100%25&ws=0&nh=10&qt=SSL 

SSL (Secure Socket Layer) is the scheme proposed by Netscape Communications Corporation. It is a low level encryption scheme used to encrypt transactions in higher-level protocols such as HTTP, NNTP and FTP. The SSL protocol includes provisions for server authentication (verifying the server's identity to the client), encryption of data in transit, and optional client authentication (verifying the client's identity to the server). SSL is currently implemented commercially on several different browsers, including Netscape Navigator, Secure Mosaic, and Microsoft Internet Explorer, and many different servers, including ones from Netscape, Microsoft, IBM, Quarterdeck, OpenMarket and O'Reilly and Associates. Details on SSL can be found at:
http://home.netscape.com/products/security/ssl/index.html 
www-security-faq:
How secure is the encryption used by SSL?
SSL uses public-key encryption to exchange a session key between the client and server; this session key is used to encrypt the http transaction (both request and response). Each transaction uses a different session key so that if someone manages to decrypt a transaction, that does not mean that they've found the server's secret key; if they want to decrypt another transaction, they'll need to spend as much time and effort on the second transaction as they did on the first.
Netscape servers and browsers do encryption using either a 40-bit secret key or a 128-bit secret key. Many people feel that using a 40-bit key is insecure because it's vulnerable to a "brute force" attack (trying each of the 2^40 possible keys until you find the one that decrypts the message). This was in fact demonstrated in 1995 when a French researcher used a network of workstations to crack a 40-bit encrypted message in a little over a week. It is thought that with specialized hardware, 40-bit messages can be cracked in minutes to hours. Using a 128-bit key eliminates this problem because there are 2^128 instead of 2^40 possible keys. To crack a message encrypted with such a key by brute force would take significantly longer than the age of the universe using conventional technology. Unfortunately, many Netscape users have browsers that support only 40-bit secret keys. This is because of legal restrictions on the encryption software that can be exported from the United States.

The SSL Protocol Specification is detailed at:
http://www.netscape.com/newsref/std/SSL_old.html - SSLv2
http://www.netscape.com/newsref/std/SSL.html - SSLv3

There is also a mailing list for discussion of SSL managed by Netscape at ssl-talk@netscape.com. You can join this list by sending mail to ssl-talk-request@netscape.com with subscribe as the subject line or the message body.

The SSL-Talk List FAQ is available at
http://www.consensus.com/security/ssl-talk-faq.html
and it contains a large amount of useful information.

look
http://java.miningco.com/msubsecurity.htm 
http://www.verisign.com/ 
http://www.verisign.com/server/trial/index.html 
http://www.camb.opengroup.org/RI/www/prism/wwwj/ 
www.rsa.com 
http://www.psy.uq.oz.au/~ftp/Crypto/ 

Understanding Encryption and SSL
http://developer.netscape.com/docs/manuals/proxy/adminux/encrypt.htm

How SSL Works
http://developer.netscape.com/tech/security/ssl/howitworks.html

The TLS & SSL FAQ
detailing the Transport Layer Security & Secure Socket Layers protocols
http://www.certicom.com/faqs/tls_ssl_faq.txt
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lll888Author Commented:
Thanks for all the help. I never knew only posting to "https://URL.." will work...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Java

From novice to tech pro — start learning today.