Java Q&A by Cliff Berg Listing One static final int MyServerPortNo = 1000; SSLParams params = new SSLParams(); short cs[] = { SSLParams.SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSLParams.SSL_RSA_WITH_3DES_EDE_CBC_SHA }; // these are the cipher suites that our client will accept // when negotiating with an SSL server. Note that we are saying // we have RSA support. params.setClientCipherSuites(cs); // Do the following five lines if client authentication is required // by the server: SSLCertificate cert = new SSLCertificate(); cert.certificateList = new Vector(); cert.certificateList.addElement(new X509(new File("client-cert.der"))); cert.certificateList.addElement(new X509(new File("ca-cert.der"))); cert.privateKey = new RSAPrivateKeyPKCS8("password", new File("encrypted-client-key.der")); params.setClientCert(cert); SSLSocket s = new SSLSocket("myserverhost.com", MyServerPortNo, params); // Note: the above checks the validity of all certificates up to the // root certificate. // Get the certificate chain presented by the server SSLCertificate schain = s.getServerCert(); if (schain != null) // if the server cert chain is presented { // Check if the root CA of the server cert chain is valid if (! schain.rootCAvalid()) throw new Exception("Invaild CA certificate"); // (usually, abort when this exception occurs) // Here we get information about the root certificate; in an // actual application, you would likely make this information // available only upon user request. // Get the actual root certificate from the server certificate chain X509 ca = schain.rootCA(); System.out.println("CA=" + ca.getIssuer().toString()); // Get the CA's public key System.out.println("CA public key=" + ca.getPublicKey().toString()); } PrintWriter os = new PrintWriter(s.getOutputStream()); BufferedReader is = new BufferedReader( new InputStreamReader(s.getInputStream())); // ...start reading and writing on connection... Listing Two SSLParams params = new SSLParams(); // Construct a server certificate chain SSLCertificate cert = new SSLCertificate(); cert.certificateList = new Vector(); cert.certificateList.addElement(new X509(new File("server-cert.der"))); cert.certificateList.addElement(new X509(new File("ca-cert.der"))); cert.privateKey = new RSAPrivateKeyPKCS8("password", new File("encrypted-server-key.der")); params.setServerCert(cert); // Turn on client authentication - the client will have to present // a client certificate (this is optional) params.setRequestClientCert(true); // Create a server socket to listen for connection requests SSLServerSocket ss = new SSLServerSocket(MyServerPortNo, params); // Start listening (this and all the following code would normally // be in a loop that allocates a thread to service each incoming // connection) SSLSocket s = (SSLSocket)ss.accept(); if (s.getClientCert() == null) throw new Exception("Client has no certificate!"); if (! s.getClientCert().rootCAValid()) throw new Exception("Invalid CA certificate!"); PrintWriter os = new PrintWriter(s.getOutputStream()); BufferedReader is = new BufferedReader( new InputStreamReader(s.getInputStream())); //...start reading and writing on connection...