SSLParameters
public
class
SSLParameters
extends Object
java.lang.Object | |
↳ | javax.net.ssl.SSLParameters |
Encapsulates parameters for an SSL/TLS connection. The parameters are the list of ciphersuites to be accepted in an SSL/TLS handshake, the list of protocols to be allowed, the endpoint identification algorithm during SSL/TLS handshaking, the Server Name Indication (SNI), the algorithm constraints and whether SSL/TLS servers should request or require client authentication, etc.
SSLParameters can be created via the constructors in this class.
Objects can also be obtained using the getSSLParameters()
methods in
SSLSocket
and
SSLServerSocket
and
SSLEngine
or the
getDefaultSSLParameters()
and
getSupportedSSLParameters()
methods in SSLContext
.
SSLParameters can be applied to a connection via the methods
SSLSocket.setSSLParameters()
and
SSLServerSocket.setSSLParameters()
and SSLEngine.setSSLParameters()
.
See also:
Summary
Public constructors | |
---|---|
SSLParameters()
Constructs SSLParameters. |
|
SSLParameters(String[] cipherSuites)
Constructs SSLParameters from the specified array of ciphersuites. |
|
SSLParameters(String[] cipherSuites, String[] protocols)
Constructs SSLParameters from the specified array of ciphersuites and protocols. |
Public methods | |
---|---|
AlgorithmConstraints
|
getAlgorithmConstraints()
Returns the cryptographic algorithm constraints. |
String[]
|
getApplicationProtocols()
Returns a prioritized array of application-layer protocol names that can be negotiated over the SSL/TLS protocols. |
String[]
|
getCipherSuites()
Returns a copy of the array of ciphersuites or null if none have been set. |
String
|
getEndpointIdentificationAlgorithm()
Gets the endpoint identification algorithm. |
boolean
|
getNeedClientAuth()
Returns whether client authentication should be required. |
String[]
|
getProtocols()
Returns a copy of the array of protocols or null if none have been set. |
final
Collection<SNIMatcher>
|
getSNIMatchers()
Returns a |
final
List<SNIServerName>
|
getServerNames()
Returns a |
final
boolean
|
getUseCipherSuitesOrder()
Returns whether the local cipher suites preference should be honored. |
boolean
|
getWantClientAuth()
Returns whether client authentication should be requested. |
void
|
setAlgorithmConstraints(AlgorithmConstraints constraints)
Sets the cryptographic algorithm constraints, which will be used in addition to any configured by the runtime environment. |
void
|
setApplicationProtocols(String[] protocols)
Sets the prioritized array of application-layer protocol names that can be negotiated over the SSL/TLS protocols. |
void
|
setCipherSuites(String[] cipherSuites)
Sets the array of ciphersuites. |
void
|
setEndpointIdentificationAlgorithm(String algorithm)
Sets the endpoint identification algorithm. |
void
|
setNeedClientAuth(boolean needClientAuth)
Sets whether client authentication should be required. |
void
|
setProtocols(String[] protocols)
Sets the array of protocols. |
final
void
|
setSNIMatchers(Collection<SNIMatcher> matchers)
Sets the |
final
void
|
setServerNames(List<SNIServerName> serverNames)
Sets the desired |
final
void
|
setUseCipherSuitesOrder(boolean honorOrder)
Sets whether the local cipher suites preference should be honored. |
void
|
setWantClientAuth(boolean wantClientAuth)
Sets whether client authentication should be requested. |
Inherited methods | |
---|---|
Public constructors
SSLParameters
public SSLParameters ()
Constructs SSLParameters.
The values of cipherSuites, protocols, cryptographic algorithm
constraints, endpoint identification algorithm, server names and
server name matchers are set to null
, useCipherSuitesOrder,
wantClientAuth and needClientAuth are set to false
.
SSLParameters
public SSLParameters (String[] cipherSuites)
Constructs SSLParameters from the specified array of ciphersuites.
Calling this constructor is equivalent to calling the no-args
constructor followed by
setCipherSuites(cipherSuites);
.
Parameters | |
---|---|
cipherSuites |
String : the array of ciphersuites (or null) |
SSLParameters
public SSLParameters (String[] cipherSuites, String[] protocols)
Constructs SSLParameters from the specified array of ciphersuites and protocols.
Calling this constructor is equivalent to calling the no-args
constructor followed by
setCipherSuites(cipherSuites); setProtocols(protocols);
.
Parameters | |
---|---|
cipherSuites |
String : the array of ciphersuites (or null) |
protocols |
String : the array of protocols (or null) |
Public methods
getAlgorithmConstraints
public AlgorithmConstraints getAlgorithmConstraints ()
Returns the cryptographic algorithm constraints.
Returns | |
---|---|
AlgorithmConstraints |
the cryptographic algorithm constraints, or null if the constraints have not been set |
getApplicationProtocols
public String[] getApplicationProtocols ()
Returns a prioritized array of application-layer protocol names that can be negotiated over the SSL/TLS protocols.
The array could be empty (zero-length), in which case protocol indications will not be used.
This method will return a new array each time it is invoked.
Returns | |
---|---|
String[] |
a non-null, possibly zero-length array of application protocol
String s. The array is ordered based on protocol
preference, with protocols[0] being the most preferred. |
See also:
getCipherSuites
public String[] getCipherSuites ()
Returns a copy of the array of ciphersuites or null if none have been set.
Returns | |
---|---|
String[] |
a copy of the array of ciphersuites or null if none have been set. |
getEndpointIdentificationAlgorithm
public String getEndpointIdentificationAlgorithm ()
Gets the endpoint identification algorithm.
Returns | |
---|---|
String |
the endpoint identification algorithm, or null if none has been set. |
getNeedClientAuth
public boolean getNeedClientAuth ()
Returns whether client authentication should be required.
Returns | |
---|---|
boolean |
whether client authentication should be required. |
getProtocols
public String[] getProtocols ()
Returns a copy of the array of protocols or null if none have been set.
Returns | |
---|---|
String[] |
a copy of the array of protocols or null if none have been set. |
getSNIMatchers
public final Collection<SNIMatcher> getSNIMatchers ()
Returns a Collection
containing all SNIMatcher
s of the
Server Name Indication (SNI) parameter, or null if none has been set.
This method is only useful to SSLSocket
s or SSLEngine
s
operating in server mode.
For better interoperability, providers generally will not define default matchers so that by default servers will ignore the SNI extension and continue the handshake.
Returns | |
---|---|
Collection<SNIMatcher> |
null or an immutable collection of non-null SNIMatcher s |
See also:
getServerNames
public final List<SNIServerName> getServerNames ()
Returns a List
containing all SNIServerName
s of the
Server Name Indication (SNI) parameter, or null if none has been set.
This method is only useful to SSLSocket
s or SSLEngine
s
operating in client mode.
For SSL/TLS connections, the underlying SSL/TLS provider may specify a default value for a certain server name type. In client mode, it is recommended that, by default, providers should include the server name indication whenever the server can be located by a supported server name type.
It is recommended that providers initialize default Server Name
Indications when creating SSLSocket
/SSLEngine
s.
In the following examples, the server name could be represented by an
instance of SNIHostName
which has been initialized with the
hostname "www.example.com" and type
StandardConstants#SNI_HOST_NAME
.
Socket socket = sslSocketFactory.createSocket("www.example.com", 443);or
SSLEngine engine = sslContext.createSSLEngine("www.example.com", 443);
Returns | |
---|---|
List<SNIServerName> |
null or an immutable list of non-null SNIServerName s |
See also:
getUseCipherSuitesOrder
public final boolean getUseCipherSuitesOrder ()
Returns whether the local cipher suites preference should be honored.
Returns | |
---|---|
boolean |
whether local cipher suites order in #getCipherSuites
should be honored during SSL/TLS handshaking. |
See also:
getWantClientAuth
public boolean getWantClientAuth ()
Returns whether client authentication should be requested.
Returns | |
---|---|
boolean |
whether client authentication should be requested. |
setAlgorithmConstraints
public void setAlgorithmConstraints (AlgorithmConstraints constraints)
Sets the cryptographic algorithm constraints, which will be used in addition to any configured by the runtime environment.
If the constraints
parameter is non-null, every
cryptographic algorithm, key and algorithm parameters used in the
SSL/TLS handshake must be permitted by the constraints.
Parameters | |
---|---|
constraints |
AlgorithmConstraints : the algorithm constraints (or null) |
setApplicationProtocols
public void setApplicationProtocols (String[] protocols)
Sets the prioritized array of application-layer protocol names that can be negotiated over the SSL/TLS protocols.
If application-layer protocols are supported by the underlying SSL/TLS implementation, this method configures which values can be negotiated by protocols such as RFC 7301 , the Application Layer Protocol Negotiation (ALPN).
If this end of the connection is expected to offer application protocol values, all protocols configured by this method will be sent to the peer.
If this end of the connection is expected to select the application
protocol value, the protocols
configured by this method are
compared with those sent by the peer. The first matched value becomes
the negotiated value. If none of the protocols
were actually
requested by the peer, the underlying protocol will determine what
action to take. (For example, ALPN will send a
"no_application_protocol"
alert and terminate the connection.)
Implementation Requirements:
- This method will make a copy of the
protocols
array.
Parameters | |
---|---|
protocols |
String : an ordered array of application protocols,
with protocols[0] being the most preferred.
If the array is empty (zero-length), protocol
indications will not be used. |
Throws | |
---|---|
IllegalArgumentException |
if protocols is null, or if any element in a non-empty array is null or an empty (zero-length) string |
See also:
setCipherSuites
public void setCipherSuites (String[] cipherSuites)
Sets the array of ciphersuites.
Parameters | |
---|---|
cipherSuites |
String : the array of ciphersuites (or null) |
setEndpointIdentificationAlgorithm
public void setEndpointIdentificationAlgorithm (String algorithm)
Sets the endpoint identification algorithm.
If the algorithm
parameter is non-null or non-empty, the
endpoint identification/verification procedures must be handled during
SSL/TLS handshaking. This is to prevent on-path attacks.
Parameters | |
---|---|
algorithm |
String : The standard string name of the endpoint
identification algorithm (or null). See Appendix A in the
Java Cryptography Architecture API Specification & Reference
for information about standard algorithm names. |
See also:
setNeedClientAuth
public void setNeedClientAuth (boolean needClientAuth)
Sets whether client authentication should be required. Calling
this method clears the wantClientAuth
flag.
Parameters | |
---|---|
needClientAuth |
boolean : whether client authentication should be required |
setProtocols
public void setProtocols (String[] protocols)
Sets the array of protocols.
Parameters | |
---|---|
protocols |
String : the array of protocols (or null) |
setSNIMatchers
public final void setSNIMatchers (Collection<SNIMatcher> matchers)
Sets the SNIMatcher
s of the Server Name Indication (SNI)
parameter.
This method is only useful to SSLSocket
s or SSLEngine
s
operating in server mode.
Note that the matchers
collection is cloned to protect
against subsequent modification.
Parameters | |
---|---|
matchers |
Collection : the collection of SNIMatcher s (or null) |
Throws | |
---|---|
NullPointerException |
if the matchers
contains null element |
IllegalArgumentException |
if the matchers
contains more than one name of the same name type |
See also:
setServerNames
public final void setServerNames (List<SNIServerName> serverNames)
Sets the desired SNIServerName
s of the Server Name
Indication (SNI) parameter.
This method is only useful to SSLSocket
s or SSLEngine
s
operating in client mode.
Note that the serverNames
list is cloned
to protect against subsequent modification.
Parameters | |
---|---|
serverNames |
List : the list of desired SNIServerName s (or null) |
Throws | |
---|---|
NullPointerException |
if the serverNames
contains null element |
IllegalArgumentException |
if the serverNames
contains more than one name of the same name type |
See also:
setUseCipherSuitesOrder
public final void setUseCipherSuitesOrder (boolean honorOrder)
Sets whether the local cipher suites preference should be honored.
Parameters | |
---|---|
honorOrder |
boolean : whether local cipher suites order in
#getCipherSuites should be honored during
SSL/TLS handshaking. |
See also:
setWantClientAuth
public void setWantClientAuth (boolean wantClientAuth)
Sets whether client authentication should be requested. Calling
this method clears the needClientAuth
flag.
Parameters | |
---|---|
wantClientAuth |
boolean : whether client authentication should be requested |