EspreSSL

 

A free, pure Java SSL library
by Jason von Nieda 

[News] [Download] [Library] [Legal] [Team]

EspreSSL is a free, pure Java SSL implementation. After searching around
the web it seems that there are no free SSLs that are pure Java and the ones that do exist
are very highly priced. This project is meant to change that. We hope to provide a high
quality implementation of SSL with end user ease of use in mind. Check back often to
see where we are, or better yet, Volunteer to help!

 

News

  • (02/05/2003)
    Well, it’s been 3 years and 3 days since I last checked in. Nothing has changed except that you can now download the EspreSSL source code. I get requests for it all the time and since the export controls have been relaxed I don’t see any reason not to release it. This code is unsupported, unfinished and not working, so download it if you want to but don’t email me about it. I am no longer working on the project but I am keeping this site and the code up for archival and study purposes.
  • (02/02/2000)
    This is a e-mail I sent to the EspreSSL list the other day regarding current status.
    EspreSSL (used to be jSSL) is basically dead because of a few different things.1) Sun has released JSSE which is a free, pure Java implementation of SSL. It remains to be seen if this will be free for commercial use.. I don’t see how they can unless RSA suddenly became much nicer about royalties. 

    2) Another project called PureTLS was released a while back which meets several of the goals of the EspreSSL project. This guy also seems to have more balls than I do about releasing export controlled software on the net without verification.

    3) I got tired of worrying about export control laws and patent problems with RSA. EspreSSL was in the right all the way, but if someone felt like making my life miserable they probally could have since I don’t like long court battles. I felt the best way to deal with this was leave the code and binaries down, but this does not facilitate Open Source development.

    The main goal of the project was to provide the world with a free, open and pure Java SSL toolkit. Others have done this so I lost interest in the project since the goal was met (albiet by someone else).
    With that in mind, with the expiration of the RSA patent coming up in September and new laws about export from the US being forged as we speak, the project could come back to life. If this were to happen, I would be refocusing on making EspreSSL a 100% open provider of JSSE services since Sun was nice enough to make an API for us. I will post this message to the web site so other people can know what is going on.

  • (05/08/1999) Well, EspreSSL has reached a major milestone tonight. It can now
    talk to itself 🙂
    Tonight I got SSLServerSocket working, so now we have client and server connections
    working and SSLSocket can connect to a SSLServerSocket and exchange data. Pretty
    cool huh?
    Important! Just the other day a court ruled that crypto in source code format
    is protected as free speech and therefore exportable. While it is expected that
    the decision will be appealed, this is an important step to freeing crypto
    code the way it should be. I will be watching this as it develops over the next
    few weeks, and it might just mean that EspreSSL will be fully distributable from
    this website without jumping through hoops! Keep your fingers crossed.
  • (05/02/1999) I have just taken down the links to the source code again. This
    time I will be leaving them down until we have something more substantial to offer.
    At this time EspreSSL is pretty worthless to anyone but the people developing
    it and I am getting far too many enduser type questions via e-mail. The reason
    that it doesn’t work is because it’s not done.
    Once EspreSSL is more of
    a beta library instead of a development one I will have some links to download it.
    In the meantime, development continues. If you are interested in helping with
    the development and are a resident of the U.S. please
    send me e-mail to get a CVS account.
    I have also just added a section containing information about the legality of EspreSSL.
  • (04/23/1999) jSSL has been renamed to EspreSSL. This name change is due to
    some conversations with a company that sells a similarly named product. To keep
    things peaceful and on the up and up I decided to change the name from jSSL to EspreSSL. Hope ya like it!
    The name change will take a little while to completly propagate. There are lots of links
    to be changed all over the place. The http://www.vonnieda.org/jSSL link will still work
    and will just redirect you here since that link is in all the search engines.
    With the name change comes new development. I am finally getting to the point where I
    have time and interest in working on this project some more. I hope to release
    the current codebase within a day or two and start picking up development speed
    over the next two weeks. As always, I will keep you updated right here. 

    Legal

    I think the best way to do this is as a Q & A session. So, here goes:

    Q1: I notice you are in the U.S. and therefore subject to export laws. How can
    you write crypto software and distribute it?

    A1: I can write crypto software inside the U.S. to my hearts content,
    but I cannot distribute it outside the U.S. Right now EspreSSL is not downloadable
    for this very reason. The only way to get at the source is to send me an e-mail
    with a request for CVS access. I will then send back an application including things
    such as home address and phone number to be sure that you are in the U.S.

    Q2: SSL uses RSA, which is patented. How can you write SSL without licensing RSA?
    A2: EspreSSL does not actually contain any crypto code. The way that it works
    is that someone who wants to use EspreSSL would have to plug in their own
    implementation for all the crypto algorithms. In the case of RSA, this could be
    in the form of a licensed toolkit from RSA. EspreSSL supports the JCE 1.2 standard, so
    anyone who has a JCE 1.2 compliant crypto provider will be able to plug it right
    in with no hassle. In other words, EspreSSL by itself is worthless until you
    plug in the crypto code. Another alternative is to not use RSA, but to use
    Diffie-Hellman, which is also supported. Diffie-Hellman is patent free and
    offers similar security to RSA.

    Q3: Isn’t a U.S. only SSL implementation worthless to the global community?
    A3: Yes, but, when EspreSSL has reached a 1.0 level of quality I hope to
    be able to export it legally. I have two options, the first
    is to deal with the export administration and have EspreSSL deamed exportable.
    The second is to export it in the same way that PGP is currently exported. On
    paper. The export administration guidelines for crypto export do not restrict the
    export of cryptographic code on paper. This is my least favorite option and
    is to be avoided if possible. Even if it does turn out to be the only
    option, it will require much research and a better understanding of the
    export laws.

    Q4: If it’s so difficult to do this inside the U.S. why don’t you let
    someone else outside the U.S. do it so you won’t have to worry about
    all these restrictions?

    A4: Well, the fact is that noone was (or is) doing it when I started
    the project. I saw the need for something like this, and decided to
    do it. I would be more than happy to shut this project down the second
    I found out that someone else had made a freely available Java SSL implementation.

    Download

    If you are interested in the source code for EspreSSL you can download it below. Please keep in mind that the project is unfinished and abandoned, the code is useful for nothing more than study and I will not answer any questions about it. With that:
    The current version of the EspreSSL source code is available here

    Library

  • Documentation
    EspreSSL API Documentation (generated nightly)

    http://seanreilly.com/java/jssl/api/packages.html

  • Specifications
    SSLv2

    http://www.cs.bris.ac.uk/~bradley/publish/SSLP/Appendix/SSL_old.html
    SSLv3
    http://home.netscape.com/eng/ssl3/draft302.txt


    http://home.netscape.com/eng/ssl3/3-SPEC.HTM
    RC4

    http://www.cs.uwf.edu/~wilde/CEN6990/papers/boone/RC4.htm
    RSA

    http://www.rsa.com/rsalabs/faq/html/3-1.html
    The Java SASL Application Program Interface

    ftp://ftp.ietf.org/internet-drafts/draft-weltman-java-sasl-01.txt

  • Important Links
    JavaLobby Foundation Applications

    http://www.javalobby.org/jfa
    Java SSL – A Java interface to SSLeay for Windows NT

    http://www.bpsinfo.com/javassl/

    Team

    Name Role
    Jason von Nieda Project Lead/Programmer
    Rob Melby Programmer
    Sean Reilly Programmer
  • 2 thoughts on “EspreSSL”

    1. Hi

      I need a SSL library that would work with or could be ported to, the Eve VM http://www.ewesoft.com

      Sun’s library and also pureTLS have too many dependant classes that are not supported in Eve.

      So, I wanted to download the source code of EspreSSL, but the download link does not work. Is the source code still available? Where could I get it?

      Best regards
      Tom Arn

    Leave a Reply

    Your email address will not be published. Required fields are marked *