4

Is it possible to use ssl with HttpURLConnection without using a certificate in Java?

I want to use a random number or a symmetric key.

user207421
  • 305,947
  • 44
  • 307
  • 483
newCommer
  • 171
  • 2
  • 10

6 Answers6

2

Although SSL/TLS doesn't strictly require certificates, HTTPS expects certificates, since RFC 2818 (in particular, Section 3.1) clearly refers to X.509 certificates.

You'll find more details in this answer on ServerFault, to a very similar question.

Whatever you do without certificate will be out of scope of RFC 2818, but it might still work (and make sense). However it is supported by other implementations may vary. If you choose not to use certificates, you'll still need a way to verify the identify of the server to ensure the security of the communication.

EDIT:

The Oracle provider for JSSE doesn't support PSK cipher suties (or OpenPGP certs). The closest to a shared-key you'll get out of that are Kerberos cipher suites.

Community
  • 1
  • 1
Bruno
  • 119,590
  • 31
  • 270
  • 376
  • 1
    It's also necessary to note, that the RFC 2818 was introduced long before those alternative methods were introduced in TLS. Consequently RFC explicitly mentions certificates because nothing else was available by that time. Also, server identity can be confirmed by knowing a shared secret key (in case of PSK suites) or by trusting the OpenPGP key (when OpenPGP is used for authentication). – Eugene Mayevski 'Callback Jun 07 '12 at 11:48
  • @EugeneMayevski'EldoSCorp, just out of curiosity, does the *SecureBlackbox* integrate as an additional provider within the JSSE API (thereby making these cipher suites available to traditional Java applications), or does it require a completely different API? – Bruno Jun 07 '12 at 11:53
  • Yes, it does for basic cryptography, but for SSL and other high-level stuff there's a different API provided, simpler to use and more flexible. – Eugene Mayevski 'Callback Jun 07 '12 at 11:59
2

Yes you can used pre-shared keys to establish a TLS connection, no certificates are needed.

Clover released TLS PSK JSSE socket factories powered by Bouncy Castle.

See https://github.com/clover?q=pskfactories

Alternatively WolfSSL also appears to have a JSSE implementation that supports PSK. It relies on native code unfortunately so likely a bit more work to get up and running than if it was pure Java. It's also GPLv2 unless you purchase a commercial license.

See https://www.wolfssl.com/products/wolfssl-jni-jsse/

satur9nine
  • 13,927
  • 5
  • 80
  • 123
1

No, you can't. You need a certificate to connect via HTTPS. You could use a self-signed-certificate for your purposes.

stzoannos
  • 938
  • 4
  • 10
  • This answer is incorrect, in 2005 pre-shared key TLS was introduced: https://datatracker.ietf.org/doc/html/rfc4279 – satur9nine Jan 31 '22 at 20:38
1

Yes, you can use several different authentication methods in SSL/TLS, including symmetric keys (PSK cipher suites) and username/password combination (SRP cipher suites). I can't say about Java built-in mechanisms, but out SecureBlackbox product (including its Java edition) lets you use mentioned mechanisms on both client and server side of SSL/TLS channel. This also applies to provided HTTPS client and server components as well.

Eugene Mayevski 'Callback
  • 45,135
  • 8
  • 71
  • 121
0

Look at the accepted answer on the following question:

How to ignore SSL certificate errors in Apache HttpClient 4.0

You just need to create a TrustManager that basically doesn't check anything and just trusts everything. Although I can see why this is useful whilst developing, this does kind of negate the purpose of SSL. The TrustManager is there to avoid Man In The Middle attacks where a third party poses as the server to intercept and manipulate data etc, therefore if you don't verify the servers certificate, anybody could provide an 'invalid' certificate!

Community
  • 1
  • 1
Andy
  • 3,600
  • 12
  • 53
  • 84
  • 2
    That's still using a certificate, though (and insecure of course). The question doesn't seem to want to compromise on security, but want to use a (pre-shared) symmetric key. – Bruno Jun 07 '12 at 13:14
-2

SSL requires a certificate, but you can create a self-signed certificate like this:

keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048

This certificate will be stored in keystore.jks and be valid for 360 days.

Depending on your http server implementation you would typically point it to the keystore by providing a keystoreFile argument, and a keystorePass to set the password (property names taken from Apache Tomcat's HTTP Connector, but they are similar in other http servers.

Edvin Syse
  • 7,267
  • 18
  • 24