PureTLS

PureTLS is a free Java-only implementation of the SSLv3 and TLSv1 (RFC2246) protocols. PureTLS was developed by Eric Rescorla for Claymore Systems, Inc. but is being distributed for free because we believe that basic network security is a public good and should be a commodity. PureTLS is licensed under a Berkeley-style license, which basically means that you can do anything you want with it, provided that you give us credit and retain our copyrights.

0.9b5 Released!

The current version of PureTLS is 0.9b5.

0.9b5 is a bugfix release which includes:

SECURITY: Zero OPTIONAL values before parsing. This prevents bleedthrough of those values from previously parsed certificates into certificates where they are missing. This is a workaround for a bug in the Cryptix ASN.1 kit.
The only relevant values are Extensions and Algorithm.Parameters. In practice this should not be a problem with Algorithm.Parameters Since they're NULL in RSA certificates and always present in real DSA certificates. If you rely on Extensions you should upgrade as soon as possible.
Note: extensions processing is still only partially tested. Use with care.
Trim all leading zeros from DH shared keys. This fixes a rare compatibility problem.
Fix handling of pathLen constraints. We were off by one, causing some valid certificates to be rejected.

If you are installing PureTLS for the first time, you should use 0.9b5.

Bug reports should be sent to EKR.

Functionality

PureTLS implements the SSLv3 and TLSv1 protocols, with the following cipher suites:

	TLS_DHE_DSS_WITH_DES_CBC_SHA   
	TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
	TLS_RSA_WITH_DES_CBC_SHA
	TLS_RSA_WITH_RC4_128_MD5
	TLS_RSA_WITH_RC4_128_SHA
	TLS_RSA_EXPORT_WITH_RC4_40_MD5
	TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
	TLS_RSA_EXPORT_WITH_DES40_CBC_SHA

Both client authentication and renegotiation are supported. PureTLS is able to read keys out of a subset of OpenSSL style keyfiles, which makes importing keying material (e.g. from OpenSSL) easy.

Downloading

PureTLS is now available worldwide, due to a change in US export rules!

1. You'll definitely need the PureTLS distribution.

2. You'll need Cryptix, version 3.2.

3. PureTLS depends on the Cryptix ASN.1 kit, but unfortunately the released version contains problems that make it unusable. As a public service, we provide a pre-compiled directory tree that will work here.

4. To run the demo programs, you'll also need GNU getopt. PureTLS itself runs fine without it but the demo programs don't.

5. You may also want to download the Claymore GoNative Provider which provides native accelerated versions of critical crypto routines. PureTLS with GNP is about 10x faster than unaccelerated PureTLS.

Mailing List

Discussion of PureTLS takes place on the puretls-users mailing list.
Subscription is handled by Majordomo. to subscribe send mail to puretls-users-request@rtfm.com with the text "subscribe" (without the quotes) in the message body.
To send mail to the list, send it to puretls-users@rtfm.com

Compatibility

PureTLS was developed under JDK 1.2 on FreeBSD 4.6.2. It is believed to work under any JDK version greater than 1.1.

What's Missing?

We're planning on adding the following features in the near future. Your feedback will help us decide what order things are done in.

Full JCE support: We implement some of our own algorithms and they're not implemented in a totally JCE compatible fashion.
Support for PKCS-12 keyfiles.
A programmer's guide to go along with the Javadoc

Known Bugs

We don't do anything to defend against timing analysis of DSA or DH.
Certificate checking is still pretty primitive. Version 0.9b3 and later have configurable and mostly untested support for checking some certificate extensions, such as Basic Constraints and Key Usage. The programmer is encouraged to independently verify certificate chain length as backup. The programmer must check the certificate identity against the expected identity.
A lot of the handshake classes use internals of other handshake classes. This should be cleaned up.

Advice

Advice: DH is safest if you use a Sophie-Germain prime The DH group included with PureTLS in dh1024.pem is a Sophie-Germain prime but if you're generating your own group you'll want to make sure of this on your own. Current versions of OpenSSL generate S-G primes. The automatic prime generation in PureTLS does not generate S-G primes unless you tell it to explicitly because it makes prime generation is unbelievably slow in Java. So, my advice is to either use the supplied group (nothing wrong with this) or generate your own DH group using OpenSSL.

PGP Signature

Here's a PGP signature for version 0.9b5:

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)

iD8DBQBCnzFX3n8ERpUIz6cRAluUAKCjjFBjlPaiOnkVJqgNJnvbecslVwCgg+Ro
TqZ49wzUjaWszakMKS8jzyM=
=L0Ym
-----END PGP SIGNATURE-----

Here's a PGP signature for version 0.9b4.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQA+tSwi3n8ERpUIz6cRAv8jAKCQSIO1EUBBhL/kcoo9wPPeXhkGdgCfUTb6
bawMk0d97flQ3dZqyV3u7hE=
=FVXu
-----END PGP SIGNATURE-----

Here's a PGP signature for version 0.9b3.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQA9rX993n8ERpUIz6cRAjipAJ9Alu9h3opmzc6Sn1dZBWci5C0bGwCfbBSe
ljHdxxNsiccktXvd08Hke6o=
=YTFC
-----END PGP SIGNATURE-----

My key fingerprint is:

465E 8A2B 9258 E9CA CE65  1DC3 DE7F 0446 9508 CFA7

Shameless Plug

Extremely detailed coverage of SSL/TLS can be found in

SSL and TLS: Designing and Building Secure Systems
Eric Rescorla
Addison-Wesley, 2001
ISBN 0-201-61598-3

SSL and TLS contains quite a bit of material about programming with PureTLS. If you like PureTLS and want to learn about SSL, you might consider buying my book.

I also do security consulting, mainly systems design and analysis. If you're interested in this, contact me at ekr@rtfm.com or see the RTFM, Inc. homepage.