This article applies to BlackBerry® smartphones based on Java® technology.
The BlackBerry® Browser and BlackBerry applications are able to make use of Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS) connections. The following are the three possible routes available for making HTTPS connections:
For example, the following parameter sets the application to use end-to-end HTTPS connections:
When the SSL/TLS connection options on the BlackBerry smartphone are set to use end-to-end (Handheld) HTTPS mode, the BlackBerry MDS Connection Service opens the TCP connection with the origin server. It also maintains a separate connection with the BlackBerry smartphone. When those connections have been established, the BlackBerry MDS Connection service passes the SSL/TLS-encrypted packets back and forth between the BlackBerry smartphone and the origin server. The encrypted packets are not decrypted at the BlackBerry MDS Connection Service, maintaining security from the origin server to the BlackBerry smartphone.
BlackBerry MDS Connection Service and Proxy Servers
The BlackBerry MDS Connection Service can be configured to connect through a proxy server. The type of connection being made from the handheld determins if the connection can be routed through a proxy server or if MDS-CS connects directly to the destination server, bypassing proxy servers. Applications may perform a range of functions and because of this, there are different methods to connect a client-side app to an application server. For example, you may choose to use “https:” or “ssl:”, among some other options. These different prefixes tells MDS-CS to handle the stream of traffic differently. Keeping this in mind, by design MDS-CS has two types of proxy mappings – HTTP and HTTPS. Note, these Proxy mappings are easier to identify with based on handler. The following options are available
If a you use “https:” and do not specify use of another parameter to tell MDS-CS where the SSL termination point is (ie. End-to-end, or proxy through MDS), MDS knows to behave as a masquerading client. Under this behavior, the request comes into MDS and is assign to an HTTPS connection handler. If there is an HTTPS proxy mapping, it can observe this. If not, continue direct.
If you use “SSL:” with no option to force an end-to-end tunnel, then this type of request will reach MDS-CS and be assigned to a TLS connection handler. With a TLS connection handler, it may be true that this stream should remain uninterrupted in its data portion, but the client may wish MDS to terminate the SSL tunnel. For this, there are no proxy settings.
A connection from a client-side app to an application server may need create a device to application server secure tunnel. Some wish to do this for heightened security requirements when the “AES to BES to MDS-(SSL)-to app server” isn’t good enough (for whatever that regulatory reason is). This end-to-end connection is a parameter that can be specified with the “https:” and “ssl:” (among others). This tells the MDS Connection service to deal with this connection as an end-to-end, or in other words “an uninterrupted TCP stream”. This type of connection does not observe proxy settings because end-to-end connections (regardless of their prefix) are not handled within the http or https connection handlers.