public class SSLParameters extends Object
SSLParameters can be created via the constructors in this class.
Objects can also be obtained using the getSSLParameters()
methods in
SSLSocket
and
SSLServerSocket
and
SSLEngine
or the
getDefaultSSLParameters()
and
getSupportedSSLParameters()
methods in SSLContext
.
SSLParameters can be applied to a connection via the methods
SSLSocket.setSSLParameters()
and
SSLServerSocket.setSSLParameters()
and SSLEngine.setSSLParameters()
.
For example:
SSLParameters p = sslSocket.getSSLParameters(); p.setProtocols(new String[] { "TLSv1.2" }); p.setCipherSuites( new String[] { "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", ... }); p.setApplicationProtocols(new String[] {"h2", "http/1.1"}); sslSocket.setSSLParameters(p);
SSLSocket
,
SSLEngine
,
SSLContext
Constructor and Description |
---|
SSLParameters()
Constructs SSLParameters.
|
SSLParameters(String[] cipherSuites)
Constructs SSLParameters from the specified array of ciphersuites.
|
SSLParameters(String[] cipherSuites,
String[] protocols)
Constructs SSLParameters from the specified array of ciphersuites
and protocols.
|
Modifier and Type | Method and Description |
---|---|
AlgorithmConstraints |
getAlgorithmConstraints()
Returns the cryptographic algorithm constraints.
|
String[] |
getApplicationProtocols()
Returns a prioritized array of application-layer protocol names that
can be negotiated over the SSL/TLS/DTLS protocols.
|
String[] |
getCipherSuites()
Returns a copy of the array of ciphersuites or null if none
have been set.
|
boolean |
getEnableRetransmissions()
Returns whether DTLS handshake retransmissions should be enabled.
|
String |
getEndpointIdentificationAlgorithm()
Gets the endpoint identification algorithm.
|
int |
getMaximumPacketSize()
Returns the maximum expected network packet size in bytes for
SSL/TLS/DTLS records.
|
boolean |
getNeedClientAuth()
Returns whether client authentication should be required.
|
String[] |
getProtocols()
Returns a copy of the array of protocols or null if none
have been set.
|
List<SNIServerName> |
getServerNames()
Returns a
List containing all SNIServerName s of the
Server Name Indication (SNI) parameter, or null if none has been set. |
Collection<SNIMatcher> |
getSNIMatchers()
Returns a
Collection containing all SNIMatcher s of the
Server Name Indication (SNI) parameter, or null if none has been set. |
boolean |
getUseCipherSuitesOrder()
Returns whether the local cipher suites preference should be honored.
|
boolean |
getWantClientAuth()
Returns whether client authentication should be requested.
|
void |
setAlgorithmConstraints(AlgorithmConstraints constraints)
Sets the cryptographic algorithm constraints, which will be used
in addition to any configured by the runtime environment.
|
void |
setApplicationProtocols(String[] protocols)
Sets the prioritized array of application-layer protocol names that
can be negotiated over the SSL/TLS/DTLS protocols.
|
void |
setCipherSuites(String[] cipherSuites)
Sets the array of ciphersuites.
|
void |
setEnableRetransmissions(boolean enableRetransmissions)
Sets whether DTLS handshake retransmissions should be enabled.
|
void |
setEndpointIdentificationAlgorithm(String algorithm)
Sets the endpoint identification algorithm.
|
void |
setMaximumPacketSize(int maximumPacketSize)
Sets the maximum expected network packet size in bytes for
SSL/TLS/DTLS records.
|
void |
setNeedClientAuth(boolean needClientAuth)
Sets whether client authentication should be required.
|
void |
setProtocols(String[] protocols)
Sets the array of protocols.
|
void |
setServerNames(List<SNIServerName> serverNames)
Sets the desired
SNIServerName s of the Server Name
Indication (SNI) parameter. |
void |
setSNIMatchers(Collection<SNIMatcher> matchers)
Sets the
SNIMatcher s of the Server Name Indication (SNI)
parameter. |
void |
setUseCipherSuitesOrder(boolean honorOrder)
Sets whether the local cipher suites preference should be honored.
|
void |
setWantClientAuth(boolean wantClientAuth)
Sets whether client authentication should be requested.
|
public SSLParameters()
The values of cipherSuites, protocols, cryptographic algorithm
constraints, endpoint identification algorithm, server names and
server name matchers are set to null
; useCipherSuitesOrder,
wantClientAuth and needClientAuth are set to false
;
enableRetransmissions is set to true
; maximum network packet
size is set to 0
.
public SSLParameters(String[] cipherSuites)
Calling this constructor is equivalent to calling the no-args
constructor followed by
setCipherSuites(cipherSuites);
.
cipherSuites
- the array of ciphersuites (or null)public SSLParameters(String[] cipherSuites, String[] protocols)
Calling this constructor is equivalent to calling the no-args
constructor followed by
setCipherSuites(cipherSuites); setProtocols(protocols);
.
cipherSuites
- the array of ciphersuites (or null)protocols
- the array of protocols (or null)public String[] getCipherSuites()
public void setCipherSuites(String[] cipherSuites)
cipherSuites
- the array of ciphersuites (or null)public String[] getProtocols()
public void setProtocols(String[] protocols)
protocols
- the array of protocols (or null)public boolean getWantClientAuth()
public void setWantClientAuth(boolean wantClientAuth)
needClientAuth
flag.wantClientAuth
- whether client authentication should be requestedpublic boolean getNeedClientAuth()
public void setNeedClientAuth(boolean needClientAuth)
wantClientAuth
flag.needClientAuth
- whether client authentication should be requiredpublic AlgorithmConstraints getAlgorithmConstraints()
setAlgorithmConstraints(AlgorithmConstraints)
public void setAlgorithmConstraints(AlgorithmConstraints constraints)
If the constraints
parameter is non-null, every
cryptographic algorithm, key and algorithm parameters used in the
SSL/TLS/DTLS handshake must be permitted by the constraints.
constraints
- the algorithm constraints (or null)public String getEndpointIdentificationAlgorithm()
X509ExtendedTrustManager
,
setEndpointIdentificationAlgorithm(String)
public void setEndpointIdentificationAlgorithm(String algorithm)
If the algorithm
parameter is non-null or non-empty, the
endpoint identification/verification procedures must be handled during
SSL/TLS/DTLS handshaking. This is to prevent man-in-the-middle attacks.
algorithm
- The standard string name of the endpoint
identification algorithm (or null). See Appendix A in the
Java Cryptography Architecture API Specification & Reference
for information about standard algorithm names.X509ExtendedTrustManager
public final void setServerNames(List<SNIServerName> serverNames)
SNIServerName
s of the Server Name
Indication (SNI) parameter.
This method is only useful to SSLSocket
s or SSLEngine
s
operating in client mode.
Note that the serverNames
list is cloned
to protect against subsequent modification.
serverNames
- the list of desired SNIServerName
s (or null)NullPointerException
- if the serverNames
contains null
elementIllegalArgumentException
- if the serverNames
contains more than one name of the same name typeSNIServerName
,
getServerNames()
public final List<SNIServerName> getServerNames()
List
containing all SNIServerName
s of the
Server Name Indication (SNI) parameter, or null if none has been set.
This method is only useful to SSLSocket
s or SSLEngine
s
operating in client mode.
For SSL/TLS/DTLS connections, the underlying SSL/TLS/DTLS provider may specify a default value for a certain server name type. In client mode, it is recommended that, by default, providers should include the server name indication whenever the server can be located by a supported server name type.
It is recommended that providers initialize default Server Name
Indications when creating SSLSocket
/SSLEngine
s.
In the following examples, the server name could be represented by an
instance of SNIHostName
which has been initialized with the
hostname "www.example.com" and type
StandardConstants.SNI_HOST_NAME
.
Socket socket = sslSocketFactory.createSocket("www.example.com", 443);or
SSLEngine engine = sslContext.createSSLEngine("www.example.com", 443);
SNIServerName
sList
,
setServerNames(List)
public final void setSNIMatchers(Collection<SNIMatcher> matchers)
SNIMatcher
s of the Server Name Indication (SNI)
parameter.
This method is only useful to SSLSocket
s or SSLEngine
s
operating in server mode.
Note that the matchers
collection is cloned to protect
against subsequent modification.
matchers
- the collection of SNIMatcher
s (or null)NullPointerException
- if the matchers
contains null
elementIllegalArgumentException
- if the matchers
contains more than one name of the same name typeCollection
,
SNIMatcher
,
getSNIMatchers()
public final Collection<SNIMatcher> getSNIMatchers()
Collection
containing all SNIMatcher
s of the
Server Name Indication (SNI) parameter, or null if none has been set.
This method is only useful to SSLSocket
s or SSLEngine
s
operating in server mode.
For better interoperability, providers generally will not define default matchers so that by default servers will ignore the SNI extension and continue the handshake.
SNIMatcher
sSNIMatcher
,
setSNIMatchers(Collection)
public final void setUseCipherSuitesOrder(boolean honorOrder)
honorOrder
- whether local cipher suites order in
#getCipherSuites
should be honored during
SSL/TLS/DTLS handshaking.getUseCipherSuitesOrder()
public final boolean getUseCipherSuitesOrder()
#getCipherSuites
should be honored during SSL/TLS/DTLS handshaking.setUseCipherSuitesOrder(boolean)
public void setEnableRetransmissions(boolean enableRetransmissions)
enableRetransmissions
- true
indicates that DTLS handshake retransmissions
should be enabled; false
indicates that DTLS handshake
retransmissions should be disabledgetEnableRetransmissions()
public boolean getEnableRetransmissions()
setEnableRetransmissions(boolean)
public void setMaximumPacketSize(int maximumPacketSize)
maximumPacketSize
- the maximum expected network packet size in bytes, or
0
to use the implicit size that is automatically
specified by the underlying implementation.IllegalArgumentException
- if maximumPacketSize
is negative.getMaximumPacketSize()
public int getMaximumPacketSize()
0
so
that applications can retrieve the actual implicit size
of the underlying implementation.
An implementation should attempt to comply with the maximum packet size configuration. However, if the maximum packet size is too small to hold a minimal record, an implementation may try to generate as minimal records as possible. This may cause a generated packet to be larger than the maximum packet size.
0
if
use the implicit size that is automatically specified by
the underlying implementation and this object has not been
populated by any connection.setMaximumPacketSize(int)
public String[] getApplicationProtocols()
The array could be empty (zero-length), in which case protocol indications will not be used.
This method will return a new array each time it is invoked.
String
s. The array is ordered based on protocol
preference, with protocols[0]
being the most preferred.setApplicationProtocols(java.lang.String[])
public void setApplicationProtocols(String[] protocols)
If application-layer protocols are supported by the underlying SSL/TLS implementation, this method configures which values can be negotiated by protocols such as RFC 7301 , the Application Layer Protocol Negotiation (ALPN).
If this end of the connection is expected to offer application protocol values, all protocols configured by this method will be sent to the peer.
If this end of the connection is expected to select the application
protocol value, the protocols
configured by this method are
compared with those sent by the peer. The first matched value becomes
the negotiated value. If none of the protocols
were actually
requested by the peer, the underlying protocol will determine what
action to take. (For example, ALPN will send a
"no_application_protocol"
alert and terminate the connection.)
protocols
array.protocols
- an ordered array of application protocols,
with protocols[0]
being the most preferred.
If the array is empty (zero-length), protocol
indications will not be used.IllegalArgumentException
- if protocols is null, or if
any element in a non-empty array is null or an
empty (zero-length) stringgetApplicationProtocols()
Submit a bug or feature
For further API reference and developer documentation, see Java SE Documentation. That documentation contains more detailed, developer-targeted descriptions, with conceptual overviews, definitions of terms, workarounds, and working code examples.
Copyright © 1993, 2016, Oracle and/or its affiliates. All rights reserved.
DRAFT 9-internal+0-2016-01-26-133437.ivan.openjdk9onspinwait