In java SSL over https without certificate

Question

Is it possible to use ssl with httpconnection without using certificate in java? i wan to use a random number or a semetric key.

Thank Raihan

Answer 1

Yes, you can use several different authentication methods in SSL/TLS, including symmetric keys (PSK cipher suites) and username/password combination (SRP cipher suites). I can't say about Java built-in mechanisms, but out SecureBlackbox product (including its Java edition) lets you use mentioned mechanisms on both client and server side of SSL/TLS channel. This also applies to provided HTTPS client and server components as well.

Answer 2

Look at the accepted answer on the following question:

How to ignore SSL certificate errors in Apache HttpClient 4.0

You just need to create a TrustManager that basically doesn't check anything and just trusts everything. Although I can see why this is useful whilst developing, this does kind of negate the purpose of SSL. The TrustManager is there to avoid Man In The Middle attacks where a third party poses as the server to intercept and manipulate data etc, therefore if you don't verify the servers certificate, anybody could provide an 'invalid' certificate!

Answer 3

Although SSL/TLS doesn't strictly require certificates, HTTPS expects certificates, since RFC 2818 (in particular, Section 3.1) clearly refers to X.509 certificates.

You'll find more details in this answer on ServerFault, to a very similar question.

Whatever you do without certificate will be out of scope of RFC 2818, but it might still work (and make sense). However it is supported by other implementations may vary. If you choose not to use certificates, you'll still need a way to verify the identify of the server to ensure the security of the communication.

EDIT:

The Oracle provider for JSSE doesn't support PSK cipher suties (or OpenPGP certs). The closest to a shared-key you'll get out of that are Kerberos cipher suites.

Answer 4

No, you can't. You need a certificate to connect via HTTPS. You could use a self-signed-certificate for your purposes.

Answer 5

SSL requires a certificate, but you can create a self-signed certificate like this:

keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048

This certificate will be stored in keystore.jks and be valid for 360 days.

Depending on your http server implementation you would typically point it to the keystore by providing a keystoreFile argument, and a keystorePass to set the password (property names taken from Apache Tomcat's HTTP Connector, but they are similar in other http servers.