Login/Register
Difference between SSL and TLS and their usage in Java
Asked Answered
javassl
P

2

39

I am trying to establish an SSL or TLS connection between a Java client and server I am setting up.

I have been using SSLContext.getInstance("SSL") to build the SSLContext, and it worked.

I would like to know what the purpose of the protocol parameter is in SSLContext.getInstance(String protocol).

In particular, what changes between using SSLContext.getInstance("SSL") and SSLContext.getInstance("TLS"), or other possible values?

Perpend answered 30/10, 2012 at 8:31 Comment(7)
see en.wikipedia.org/wiki/Transport_Layer_SecurityAbdication
Have you tried to read the documentation?Nepotism
I search them,And know the differ between the ssl,sslv3,tls,I just do not know the communication between server and client with different protocol type.ThanksPerpend
Those who downvote or vote to delete, please participate here.Inwrap
Pay attention to Bruno's comment: "If you want a particular set of protocols to be used... setEnabledProtocols". If you say getInstance("TLS"), then you will get SSLv3 and TLSv1. TLSv1.1 and TLSv1.2 will not be enabled under most Java implementations (I say most because Java 8 changed some of the behavior). You have to explicitly remove SSLv3, and have to explicitly enable TLSv1.0, TLSv1.1 and TLSv1.2. Note that there is a difference between available and enabled here.Quodlibet
@Quodlibet You don't have to explicitly enable TLSv1.1/2. You can use SSLContext.getInstance("TLSv1.2") for example.Tybalt
Just to clarify: in both Java 7 and Java 8, for the SunJSSE provider (out-of-the-box provider), "SSL" is an alias for "TLS" as far as SSLContext.getInstance(protocol) is concerned.Hennery
I
35

Here is a rather detailed answer that I wrote a while back describing the difference between SSL and TLS. In short, TLS is the successor of SSL, and TLS 1.0 can be considered as "SSL 3.1".

If you look at the JSSE Reference Guide, in the SSLContext section, it says:

These static methods each return an instance that implements at least the requested secure socket protocol. The returned instance may implement other protocols too. For example, getInstance("TLSv1") may return a instance which implements "TLSv1", "TLSv1.1" and "TLSv1.2".

This is also mentioned in the Standard Names document.

In particular, if you check the Oracle/OpenJDK 7 source code for SSLContextImpl, you'll find that all its SSLContexts support all protocols (from SSLv3 using an SSLv2 Client Hello to TLS 1.2). What differs is which protocols are enabled by default. In addition, you shouldn't rely on this in general, since other Java implementations (e.g. the IBM JRE) could behave differently.

If you want a particular set of protocols to be used for a connection, you should use SSLSocket or SSLEngine's setEnabledProtocols method. Otherwise, it will use the default values, as described in the Providers documentation.

Inwrap answered 30/10, 2012 at 12:2 Comment(0)
S
1

Protocol is used for communicating between server and client. So SSLContext(String protocol) returns the instance of the protocol and then using that server or client communicate with each other for security level.

For more ref refer this link. http://www.herongyang.com/JDK/SSL-java-net-ssl-SSLContext-Class-Test.html

Shien answered 30/10, 2012 at 9:23 Comment(3)
I just said that In the server,I create a protocol 'tls'. SSLCOntext(String protocol) means get the client protocol?I just do not understand why it works that In client I call SSLContext.getInstance("ssl"). 'ssl' and 'tls' are different protocol type.My english is bad,I am so sorry to unclear questionPerpend
First sentence is vague. Second sentence is incorrect: getInstance() does not return 'an instance of the protocol'; it reruns an instance of SSLContext. Final paragraph cites a non-normative and basically irrelevant reference.Tybalt
@Shien Instead of fiddling about deleting and undeleting this, why not fix it?Tybalt

© 2022 - 2024 — McMap. All rights reserved.