About Not-Yet-Commons-SSL

5 Design Goals:

  1. Make SSL and Java Easier. Ever wanted to work with self-signed certificates in your Java application in a secure fashion? Ever wanted to use more than one client certificate in a single running JVM? You can edit your $JAVA_HOME/jre/lib/security/cacerts file, and you can invoke Java with Both of these approaches are great at first, but they don't scale well. Do you really want to pollute every SSL socket in your JVM (HTTP, LDAP, JDBC, RMI, etc...) with those system-wide changes? Commons-SSL let's you control the SSL options you need in an natural way for each SSLSocketFactory, and those options won't bleed into the rest of your system.
  2. Improve Security. CRL checking turned on by default. We hope to add support for OCSP soon! It's obnoxious to have to download CRL files around 500KB each from Thawte and Verisign every 24 hours. OCSP improves on that.
  3. Improve Flexibility. Checking hostnames, expirations, CRL's, and many other options can be enabled/disabled for each SSLSocketFactory created.
  4. Support more file formats, and support these formats more robustly.
  5. Automatically detect type of KeyMaterial or TrustMaterial. Consumer does not need to know whether keystore is PKCS12 or JKS. They just need to know the password to decrypt the private key.