SSL over java.net.URL (more thoughts)

John Wenn (jwenn@cp10.es.xerox.com)
Wed, 18 Mar 1998 08:01:40 PST

Message-Id: <350FEFE4.69B37DC3@cp10.es.xerox.com>
Date: Wed, 18 Mar 1998 08:01:40 PST
From: John Wenn <jwenn@cp10.es.xerox.com>
To: java-security@web1.javasoft.com, jwenn@cp10.es.xerox.com
Subject: SSL over java.net.URL (more thoughts)

Upon further reflection (and reading your Java Security Q&A archive),
one possibility came to me.

My Java Web Server has a self-signed certificate.

Since the SSLSocketFactory.defaultCipherSuites does not include any
anonymous variants (SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA and
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA are the 2 defaults), perhaps the
client is rejecting the server's credentials. If that's the case, the
error message "no cipher suites in common" is wrong and misleading.

So if this is the problem, is there any way to have a URL have an
anonymous cipher suite? The list of supported cipher suites lists 2
anonymous versions. If I create a SSLSocket I can change the cipher
suites by hand, but I don't see a way of doing it for URL's.

And if this isn't the problem, then nevermind.

/John