Encrypt data in transit in Windows, C++ and Java

Question

I have a requirement for encryption of "data in transit" for our client/server application. Our server is written in C++ running on Windows. Our clients are in C++ on Windows and also on Java. We use TCP/IP for our communication, make direct calls to the usual Winsock APIs like connect, send, bind, etc., and we use our own port numbers (none of which are 80 or 443). Of course, the Java client code makes standard Java TCP/IP networking calls to communicate with the Windows server. I'm still early on in the investigation and I'm trying to understand all the jumble of technologies, protocols, ciphers, etc. I found this article that looks great: [ https://www.codeproject.com/Articles/1000189/A-Working-TCP-Client-and-Server-With-SSL][1] The title of this article is SSL but it actually uses TLS 1.2. It seems that TLS 1.2 is a very good solution for us and it looks like it should be reasonably easy to add these encryption calls to our code.

So, my questions are: is TLS the way to go? Or, is there some other technology that would be a better fit? I don't want to overlook anything easier, like: "oh just turn on THIS setting and all your communications will be encrypted". Meaning: it would be nice to just have Windows do all the work for us. I don't think a 3rd party VPN would be appropriate for us b/c we want full control and customers would not want to trust a 3rd party with their sensitive data. The solution also needs to work with a client written in Java. Doing some quick googling: Java supports TLS and it should be able to negotiate the communication with our C++ Windows server, correct? I know there's HTTPS but since we're making direct calls to the Winsock APIs using our own port numbers, it doesn't appear that HTTPS is right for us, correct? I've also read about OpenSSL, but since it's a C-library, it doesn't appear appropriate for Java, correct?

Authentication: Since we're essentially a closed system (we own both the client and server), I think we'd only put a certificate on the server and only the clients would authenticate the server. I'd prefer to not add certs on the client.

One of my biggest concerns is getting this right. And my understanding is that security can be very tricky and you don't want to re-invent the wheel. Therefore, my preference would be to use some proven technology that works in C++ and Java, that is easy enough to add to our code, and provides the necessary encryption.

Answer 1

If you ensure that your application uses TLS for all of its network communications, and particularly if you use digital certificates (which are available but too-often not used), then your crypto requirement will be satisfied. The applications don't have to further encrypt their communications since the tunnel itself is secure.

I do very-strongly recommend the use of certificates on both ends. Certificates allow both parties to securely recognize each other, they can be individually revoked, and they can't be spoofed.

Another strong possibility to consider is VPN, particularly OpenVPN.