A free, pure Java SSL library
by Jason von Nieda
EspreSSL is a free, pure Java SSL implementation. After searching around
the web it seems that there are no free SSLs that are pure Java and the ones that do exist
are very highly priced. This project is meant to change that. We hope to provide a high
quality implementation of SSL with end user ease of use in mind. Check back often to
see where we are, or better yet, Volunteer to help!
Well, it’s been 3 years and 3 days since I last checked in. Nothing has changed except that you can now download the EspreSSL source code. I get requests for it all the time and since the export controls have been relaxed I don’t see any reason not to release it. This code is unsupported, unfinished and not working, so download it if you want to but don’t email me about it. I am no longer working on the project but I am keeping this site and the code up for archival and study purposes.
This is a e-mail I sent to the EspreSSL list the other day regarding current status.
EspreSSL (used to be jSSL) is basically dead because of a few different things.1) Sun has released JSSE which is a free, pure Java implementation of SSL. It remains to be seen if this will be free for commercial use.. I don’t see how they can unless RSA suddenly became much nicer about royalties.
2) Another project called PureTLS was released a while back which meets several of the goals of the EspreSSL project. This guy also seems to have more balls than I do about releasing export controlled software on the net without verification.
3) I got tired of worrying about export control laws and patent problems with RSA. EspreSSL was in the right all the way, but if someone felt like making my life miserable they probally could have since I don’t like long court battles. I felt the best way to deal with this was leave the code and binaries down, but this does not facilitate Open Source development.
The main goal of the project was to provide the world with a free, open and pure Java SSL toolkit. Others have done this so I lost interest in the project since the goal was met (albiet by someone else).
With that in mind, with the expiration of the RSA patent coming up in September and new laws about export from the US being forged as we speak, the project could come back to life. If this were to happen, I would be refocusing on making EspreSSL a 100% open provider of JSSE services since Sun was nice enough to make an API for us. I will post this message to the web site so other people can know what is going on.
talk to itself 🙂
Tonight I got SSLServerSocket working, so now we have client and server connections
working and SSLSocket can connect to a SSLServerSocket and exchange data. Pretty
Important! Just the other day a court ruled that crypto in source code format
is protected as free speech and therefore exportable. While it is expected that
the decision will be appealed, this is an important step to freeing crypto
code the way it should be. I will be watching this as it develops over the next
few weeks, and it might just mean that EspreSSL will be fully distributable from
this website without jumping through hoops! Keep your fingers crossed.
time I will be leaving them down until we have something more substantial to offer.
At this time EspreSSL is pretty worthless to anyone but the people developing
it and I am getting far too many enduser type questions via e-mail. The reason
that it doesn’t work is because it’s not done. Once EspreSSL is more of
a beta library instead of a development one I will have some links to download it.
In the meantime, development continues. If you are interested in helping with
the development and are a resident of the U.S. please
send me e-mail to get a CVS account.
I have also just added a section containing information about the legality of EspreSSL.
some conversations with a company that sells a similarly named product. To keep
things peaceful and on the up and up I decided to change the name from jSSL to EspreSSL. Hope ya like it!
The name change will take a little while to completly propagate. There are lots of links
to be changed all over the place. The http://vonnieda.org/jSSL link will still work
and will just redirect you here since that link is in all the search engines.
With the name change comes new development. I am finally getting to the point where I
have time and interest in working on this project some more. I hope to release
the current codebase within a day or two and start picking up development speed
over the next two weeks. As always, I will keep you updated right here.
I think the best way to do this is as a Q & A session. So, here goes:
Q1: I notice you are in the U.S. and therefore subject to export laws. How can
you write crypto software and distribute it?
A1: I can write crypto software inside the U.S. to my hearts content,
but I cannot distribute it outside the U.S. Right now EspreSSL is not downloadable
for this very reason. The only way to get at the source is to send me an e-mail
with a request for CVS access. I will then send back an application including things
such as home address and phone number to be sure that you are in the U.S.
Q2: SSL uses RSA, which is patented. How can you write SSL without licensing RSA?
A2: EspreSSL does not actually contain any crypto code. The way that it works
is that someone who wants to use EspreSSL would have to plug in their own
implementation for all the crypto algorithms. In the case of RSA, this could be
in the form of a licensed toolkit from RSA. EspreSSL supports the JCE 1.2 standard, so
anyone who has a JCE 1.2 compliant crypto provider will be able to plug it right
in with no hassle. In other words, EspreSSL by itself is worthless until you
plug in the crypto code. Another alternative is to not use RSA, but to use
Diffie-Hellman, which is also supported. Diffie-Hellman is patent free and
offers similar security to RSA.
Q3: Isn’t a U.S. only SSL implementation worthless to the global community?
A3: Yes, but, when EspreSSL has reached a 1.0 level of quality I hope to
be able to export it legally. I have two options, the first
is to deal with the export administration and have EspreSSL deamed exportable.
The second is to export it in the same way that PGP is currently exported. On
paper. The export administration guidelines for crypto export do not restrict the
export of cryptographic code on paper. This is my least favorite option and
is to be avoided if possible. Even if it does turn out to be the only
option, it will require much research and a better understanding of the
Q4: If it’s so difficult to do this inside the U.S. why don’t you let
someone else outside the U.S. do it so you won’t have to worry about
all these restrictions?
A4: Well, the fact is that noone was (or is) doing it when I started
the project. I saw the need for something like this, and decided to
do it. I would be more than happy to shut this project down the second
I found out that someone else had made a freely available Java SSL implementation.
If you are interested in the source code for EspreSSL you can download it below. Please keep in mind that the project is unfinished and abandoned, the code is useful for nothing more than study and I will not answer any questions about it. With that:
The current version of the EspreSSL source code is available here
|EspreSSL API Documentation (generated nightly)
|JavaLobby Foundation Applications
|Java SSL – A Java interface to SSLeay for Windows NT
|Jason von Nieda