In java SSL over https without certificate

Question

Is it possible to use ssl with httpconnection without using certificate in java? i wan to use a random number or a semetric key.

Thank Raihan

Answer 1

Although SSL/TLS doesn't strictly require certificates, HTTPS expects certificates, since RFC 2818 (in particular, Section 3.1) clearly refers to X.509 certificates.

You'll find more details in this answer on ServerFault, to a very similar question.

Whatever you do without certificate will be out of scope of RFC 2818, but it might still work (and make sense). However it is supported by other implementations may vary. If you choose not to use certificates, you'll still need a way to verify the identify of the server to ensure the security of the communication.

EDIT:

The Oracle provider for JSSE doesn't support PSK cipher suties (or OpenPGP certs). The closest to a shared-key you'll get out of that are Kerberos cipher suites.