Difference between SSL and TLS and their usage in Java

Question

I am trying to establish an SSL or TLS connection between a Java client and server I am setting up.

I have been using SSLContext.getInstance("SSL") to build the SSLContext, and it worked.

I would like to know what the purpose of the protocol parameter is in SSLContext.getInstance(String protocol).

In particular, what changes between using SSLContext.getInstance("SSL") and SSLContext.getInstance("TLS"), or other possible values?

Answer 1

Here is a rather detailed answer that I wrote a while back describing the difference between SSL and TLS. In short, TLS is the successor of SSL, and TLS 1.0 can be considered as "SSL 3.1".

If you look at the JSSE Reference Guide, in the SSLContext section, it says:

These static methods each return an instance that implements at least the requested secure socket protocol. The returned instance may implement other protocols too. For example, getInstance("TLSv1") may return a instance which implements "TLSv1", "TLSv1.1" and "TLSv1.2".

This is also mentioned in the Standard Names document.

In particular, if you check the Oracle/OpenJDK 7 source code for SSLContextImpl, you'll find that all its SSLContexts support all protocols (from SSLv3 using an SSLv2 Client Hello to TLS 1.2). What differs is which protocols are enabled by default. In addition, you shouldn't rely on this in general, since other Java implementations (e.g. the IBM JRE) could behave differently.

If you want a particular set of protocols to be used for a connection, you should use SSLSocket or SSLEngine's setEnabledProtocols method. Otherwise, it will use the default values, as described in the Providers documentation.

Answer 2

Protocol is used for communicating between server and client. So SSLContext(String protocol) returns the instance of the protocol and then using that server or client communicate with each other for security level.

For more ref refer this link. http://www.herongyang.com/JDK/SSL-java-net-ssl-SSLContext-Class-Test.html