How do I know the message is being encrypted / decrypted?
The idea behind a encryption layer is to abstract all of this from the programmer, presenting itself as a normal socket. That is, SSLSocket
opened? So the messages are yes being encrypted / deciphered. It's that simple! Have you ever seen in a movie the character ask, "Is this a safe line?"; in real life, the only right answer is "if you need to ask, then it is not safe ...".
Responding more accurately, the class SSLSocket
initiates the handshake protocol in one of the following circumstances:
- Explicitly, by calling the method
startHandshake
;
- Implicitly, if you try to read or write to this socket;
- Implicitly, if you call
getSession
and the handshake has not yet occurred.
If the handshake fails for any reason, the socket is automatically closed (without sending or receiving any data) and no further communication is possible.
How do I know which method is in use for this encryption / decryption?
Using SSLSocket.getSession()
, followed by SSLSession.getCipherSuite()
.
Will SSL only make the connection secure?
What do you call "safe"? SSL / TLS provides authenticity (the client knows it is communicating with the right server), confidentiality (no one can intercept and read communication) / strong> (if someone intercepts and tries to change the communication, this is detected). Note that unless you require the client also authenticates with a certificate , even after the connection is established the server still does not know who the client is. In this case, you need to implement client authentication yourself (for example, by asking for a username and password - which is the most common).
From the connection point of view, the use of SSL alone is sufficient to guarantee the properties described above. Of course, other aspects of your application may still require additional security (eg, if the client is a browser, you need to establish a session key to conveniently identify the user by storing it in a secure cookie, POST requests need to be protected against CSRF, etc.).
Is the encryption method used what is in the certificate generated by Keytool?
A certificate has a key pair that determines (or rather "restricts") the part of the encryption protocol. But other aspects do not depend on it. Personally, I know very little about these protocols, since it is a very specialized domain (if you want to know more about it, I suggest crypto.SE ).
In a answer to a related question I better explain what a certificate is and what it serves. In short, it is more responsible for identifying communication participants (server, and optionally client) than for protecting their communication.