This post is part of a series about the worlds of Java and SSL. I hope to do 1 post a day on this topic. The resulting posts will become the basis for another section of a talk that I am scheduled to give on August 10 at the Boulder/Denver Cybersecurity Meetup.
- If you have an Java and SSL Expert..
- SSL is difficult in Java NIO
- Few tools are available
- Even Stack Overflow was no help
All I can say about experts in the field of Java and SSL is that if you have one...KEEP THEM! I found the combination of Java (NIO) and SSL to be very difficult. And the Java world has had over 10 years (NIO was releases in 2006) to fix this!
I found SSL to be ridiculously difficult in Java NIO. For something as ubiquitous as SSL I was hoping to find it an easier going. Oh boy was I wrong.
I had to fight SSL every step of the way. If things became easy, I immediately became suspicious. If I tried to do something "simple" in SSL, all the examples that I found generated warnings when I tried to use them. When I found what I deemed a bug in one library, the person I worked with dismissed it as "not a bug," the list goes on and on.
I found very few libraries or frameworks for SSL. The only real alternative to the classes in the JDK is BouncyCastle, but I found BC to be very poorly documented (there is a one page "User Guide" that basically points you to some examples and the JavaDoc).
Two frameworks that implement SSL are Apache Mina and Netty. Interacting with Netty was were I had the "this is not a bug" experience. I am dreading the day that I have to work with the Mina folks.
Examples with SSL are few and far between. Many problems I just couldn't find an answer to. I even posted a problem on Stack Overflow, expecting a dozen message with title like "Try THIS, bonehead" but no one replied.
As with all my experiences, your own experience may vary from mine.
No comments:
Post a Comment