I was creating a presentation for the Denver/Boulder Cybersecurity meetup and I found myself, as usual, complaining.
I was decrying the state of Java and SSL, in particular, the lack of good tools and libraries for crypto stuff, when I decided to stop complaining and do something about it. Sigh. And so CLCL, the com ltsllc crypto library, was born.
CLCL is a collection of classes that I have taken from the Miranda project and put into their own library. CLCL does actually do anything it just makes it easier to use classes that do all the crypto stuff. Java and SSL have both been around for over 10 years. It is about time they got some tools.
Showing posts with label Java. Show all posts
Showing posts with label Java. Show all posts
Sunday, July 23, 2017
Thursday, June 22, 2017
Java and SSL:Welcome to the Dark Ages!
This post is part of a series about the worlds of Java and SSL. I hope to do 1 post a day on this topic. The resulting posts will become the basis for another section of a talk that I am scheduled to give on August 10 at the Boulder/Denver Cybersecurity Meetup.
- If you have an Java and SSL Expert..
- SSL is difficult in Java NIO
- Few tools are available
- Even Stack Overflow was no help
All I can say about experts in the field of Java and SSL is that if you have one...KEEP THEM! I found the combination of Java (NIO) and SSL to be very difficult. And the Java world has had over 10 years (NIO was releases in 2006) to fix this!
I found SSL to be ridiculously difficult in Java NIO. For something as ubiquitous as SSL I was hoping to find it an easier going. Oh boy was I wrong.
I had to fight SSL every step of the way. If things became easy, I immediately became suspicious. If I tried to do something "simple" in SSL, all the examples that I found generated warnings when I tried to use them. When I found what I deemed a bug in one library, the person I worked with dismissed it as "not a bug," the list goes on and on.
I found very few libraries or frameworks for SSL. The only real alternative to the classes in the JDK is BouncyCastle, but I found BC to be very poorly documented (there is a one page "User Guide" that basically points you to some examples and the JavaDoc).
Two frameworks that implement SSL are Apache Mina and Netty. Interacting with Netty was were I had the "this is not a bug" experience. I am dreading the day that I have to work with the Mina folks.
Examples with SSL are few and far between. Many problems I just couldn't find an answer to. I even posted a problem on Stack Overflow, expecting a dozen message with title like "Try THIS, bonehead" but no one replied.
As with all my experiences, your own experience may vary from mine.
Wednesday, March 1, 2017
Who is Responsible for nio TLS?
And I thought netty was bad...
It doesn't hold a candle to nio TLS...
Consider this link. My god, you would need to be a TLS expert to use it! And this is from Oracle...
Putting the reasons aside for the moment, it seems clear that
It doesn't hold a candle to nio TLS...
Consider this link. My god, you would need to be a TLS expert to use it! And this is from Oracle...
Putting the reasons aside for the moment, it seems clear that
- nio TLS is non-trival to use
- There are very few libraries available
And this is after 10 years!
I am speechless. Either developer are not using SSL/TLS with java, or I am missing something.
Subscribe to:
Posts (Atom)