Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Difference between SSL and TLS and their usage in Java

Tags:

java

ssl

I am trying to establish an SSL or TLS connection between a Java client and server I am setting up.

I have been using SSLContext.getInstance("SSL") to build the SSLContext, and it worked.

I would like to know what the purpose of the protocol parameter is in SSLContext.getInstance(String protocol).

In particular, what changes between using SSLContext.getInstance("SSL") and SSLContext.getInstance("TLS"), or other possible values?

like image 847
user1781746 Avatar asked Oct 30 '12 08:10

user1781746


People also ask

What is the main difference between SSL and TLS?

Transport Layer Security (TLS) is the successor protocol to SSL. TLS is an improved version of SSL. It works in much the same way as the SSL, using encryption to protect the transfer of data and information. The two terms are often used interchangeably in the industry although SSL is still widely used.

What is SSL and TLS used for?

TLDR: SSL/TLS encrypts communications between a client and server, primarily web browsers and web sites/applications. SSL (Secure Sockets Layer) encryption, and its more modern and secure replacement, TLS (Transport Layer Security) encryption, protect data sent over the internet or a computer network.

Does Java use TLS?

There are two properties that a Java™ client application can use to specify the TLS version of the SSL/TLS handshake. The jdk. tls. server.


2 Answers

Here is a rather detailed answer that I wrote a while back describing the difference between SSL and TLS. In short, TLS is the successor of SSL, and TLS 1.0 can be considered as "SSL 3.1".

If you look at the JSSE Reference Guide, in the SSLContext section, it says:

These static methods each return an instance that implements at least the requested secure socket protocol. The returned instance may implement other protocols too. For example, getInstance("TLSv1") may return a instance which implements "TLSv1", "TLSv1.1" and "TLSv1.2".

This is also mentioned in the Standard Names document.

In particular, if you check the Oracle/OpenJDK 7 source code for SSLContextImpl, you'll find that all its SSLContexts support all protocols (from SSLv3 using an SSLv2 Client Hello to TLS 1.2). What differs is which protocols are enabled by default. In addition, you shouldn't rely on this in general, since other Java implementations (e.g. the IBM JRE) could behave differently.

If you want a particular set of protocols to be used for a connection, you should use SSLSocket or SSLEngine's setEnabledProtocols method. Otherwise, it will use the default values, as described in the Providers documentation.

like image 121
Bruno Avatar answered Oct 04 '22 18:10

Bruno


Protocol is used for communicating between server and client. So SSLContext(String protocol) returns the instance of the protocol and then using that server or client communicate with each other for security level.

For more ref refer this link. http://www.herongyang.com/JDK/SSL-java-net-ssl-SSLContext-Class-Test.html

like image 38
Angel Avatar answered Oct 04 '22 19:10

Angel