Thursday, June 22, 2017

Java and SSL:Welcome to the Dark Ages!


This post is part of a series about the worlds of Java and SSL.  I hope to do 1 post a day on this topic. The resulting posts will become the basis for another section of a talk that I am scheduled to give on August 10 at the Boulder/Denver Cybersecurity Meetup.
  • If you have an Java and SSL Expert..
  • SSL is difficult in Java NIO
  • Few tools are available
  • Even Stack Overflow was no help
All I can say about experts in the field of Java and SSL is that if you have one...KEEP THEM!  I found the combination of Java (NIO) and SSL to be very difficult.  And the Java world has had over 10 years (NIO was releases in 2006) to fix this!

I found SSL to be ridiculously difficult in Java NIO.  For something as ubiquitous as SSL I was hoping to find it an easier going.  Oh boy was I wrong.  

I had to fight SSL every step of the way.  If things became easy, I immediately became suspicious.  If I tried to do something "simple" in SSL, all the examples that I found generated warnings when I tried to use them.  When I found what I deemed a bug in one library, the person I worked with dismissed it as "not a bug," the list goes on and on.

I found very few libraries or frameworks for SSL.  The only real alternative to the classes in the JDK is BouncyCastle, but I found BC to be very poorly documented (there is a one page "User Guide" that basically points you to some examples and the JavaDoc).  

Two frameworks that implement SSL are Apache Mina and Netty.  Interacting with Netty was were I had the "this is not a bug" experience.  I am dreading the day that I have to work with the Mina folks.

Examples with SSL are few and far between.  Many problems I just couldn't find an answer to.  I even posted a problem on Stack Overflow, expecting a dozen message with title like "Try THIS, bonehead" but no one replied.

As with all my experiences, your own experience may vary from mine.

Java and SSL: What's in this Section?

This is the first of a series of posts about the worlds of Java and SSL.  I hope to do 1 post a day on this topic.  The resulting posts will become the basis for another section of a talk that I am scheduled to give on August 10 at the Boulder/Denver Cybersecurity Meetup.

SSL and Java

  • If you have a Java SSL expert...
  • How to create a new Certificate Authority
  • How to create a key pair in Java
  • How to create a certificate in Java
  • How to sign a certificate in Java
  • How to use a certificate in Java
  • Putting it all together: how to create a web service that uses SSL



Wednesday, June 21, 2017

Slides up on Slideshare

I just put my slides from my talk at DOSUG on Slideshare.  You can get them at https://www.slideshare.net/ClarkHobbie/miranda-77154415.

A Talk on Security

Recently, I asked to speak at the Denver/Boulder Cybersecurity Meetup. Pattie Kettle was kind enough to pencil me in for the August 10 meeting.

This leaves me with a problem.

My talk at DOSUG was around 40 minutes and doesn't address security directly.

So what I've decided to do is to add an "optional" section on SSL with Java.  I will use the five core topics (what is Miranda, why was it created, how it works, why it's reliable, and why it's secure) and then add on the "extra" topic. This should bring the talk up to 50 minutes, which should be acceptable.

I will blog about SSL and Java in the coming days.

Tuesday, June 6, 2017

Presented at DOSUG

(Finally) presented at DOSUG.  Slides available at ltsllc.com/talks as a PDF at http://ltsllc.com/talks/Miranda.pdf and as a PowerPoint presentation at http://ltsllc.com/talks/Miranda.pptx.

Tuesday, May 30, 2017

Slides up

For my legions of readers (hi Mom!) a pdf of my sides is up on the ltsllc site.

Sunday, May 7, 2017

Certificate Authorities

When a new instance of Miranda is created the user(s) need to create a new Certificate Authority (CA).  The CA can be self-singed or signed by a recognized authority like Verisign.  The CA signs the certificate that a Miranda node is required to present upon joining the cluster.

This authenticates the server to the clients and validates a client wanting to join the cluster.

The clients need the CA's certificate so that when they communicate with the server, to publish a new event for example, they can establish an SSL connection.  The other severs need the CA's certificate to verify other sever's certificates when a remote system tries to join the cluster.

The CA's certificate thus has to be added to all the client trustores  as well as all the server trustores.