public class SSLParameters extends Object
SSLParameter
objects can be created via the constructors in this class, and can be described as pre-populated objects. SSLParameter
objects can also be obtained using the getSSLParameters()
methods in SSLSocket
and SSLServerSocket
and SSLEngine
or the getDefaultSSLParameters()
and getSupportedSSLParameters()
methods in SSLContext
, and can be described as connection populated objects.
SSLParameters can be applied to a connection via the methods SSLSocket.setSSLParameters()
and SSLServerSocket.setSSLParameters()
and SSLEngine.setSSLParameters()
.
For example:
SSLParameters p = sslSocket.getSSLParameters(); p.setProtocols(new String[] { "TLSv1.2" }); p.setCipherSuites( new String[] { "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", ... }); p.setApplicationProtocols(new String[] {"h2", "http/1.1"}); sslSocket.setSSLParameters(p);
Constructor | Description |
---|---|
SSLParameters() |
Constructs SSLParameters. |
SSLParameters |
Constructs SSLParameters from the specified array of ciphersuites. |
SSLParameters |
Constructs SSLParameters from the specified array of ciphersuites and protocols. |
Modifier and Type | Method | Description |
---|---|---|
AlgorithmConstraints |
getAlgorithmConstraints() |
Returns the cryptographic algorithm constraints. |
String[] |
getApplicationProtocols() |
Returns a prioritized array of application-layer protocol names that can be negotiated over the SSL/TLS/DTLS protocols. |
String[] |
getCipherSuites() |
Returns a copy of the array of ciphersuites or null if none have been set. |
boolean |
getEnableRetransmissions() |
Returns whether DTLS handshake retransmissions should be enabled. |
String |
getEndpointIdentificationAlgorithm() |
Gets the endpoint identification algorithm. |
int |
getMaximumPacketSize() |
Returns the maximum expected network packet size in bytes for SSL/TLS/DTLS records. |
String[] |
getNamedGroups() |
Returns a prioritized array of key exchange named groups names that can be used over the SSL/TLS/DTLS protocols. |
boolean |
getNeedClientAuth() |
Returns whether client authentication should be required. |
String[] |
getProtocols() |
Returns a copy of the array of protocols or null if none have been set. |
final List |
getServerNames() |
Returns a List containing all SNIServerName s of the Server Name Indication (SNI) parameter, or null if none has been set. |
String[] |
getSignatureSchemes() |
Returns a prioritized array of signature scheme names that can be used over the SSL/TLS/DTLS protocols. |
final Collection |
getSNIMatchers() |
Returns a Collection containing all SNIMatcher s of the Server Name Indication (SNI) parameter, or null if none has been set. |
final boolean |
getUseCipherSuitesOrder() |
Returns whether the local cipher suites preference should be honored. |
boolean |
getWantClientAuth() |
Returns whether client authentication should be requested. |
void |
setAlgorithmConstraints |
Sets the cryptographic algorithm constraints, which will be used in addition to any configured by the runtime environment. |
void |
setApplicationProtocols |
Sets the prioritized array of application-layer protocol names that can be negotiated over the SSL/TLS/DTLS protocols. |
void |
setCipherSuites |
Sets the array of ciphersuites. |
void |
setEnableRetransmissions |
Sets whether DTLS handshake retransmissions should be enabled. |
void |
setEndpointIdentificationAlgorithm |
Sets the endpoint identification algorithm. |
void |
setMaximumPacketSize |
Sets the maximum expected network packet size in bytes for SSL/TLS/DTLS records. |
void |
setNamedGroups |
Sets the prioritized array of key exchange named groups names that can be used over the SSL/TLS/DTLS protocols. |
void |
setNeedClientAuth |
Sets whether client authentication should be required. |
void |
setProtocols |
Sets the array of protocols. |
final void |
setServerNames |
Sets the desired SNIServerName s of the Server Name Indication (SNI) parameter. |
void |
setSignatureSchemes |
Sets the prioritized array of signature scheme names that can be used over the SSL/TLS/DTLS protocols. |
final void |
setSNIMatchers |
Sets the SNIMatcher s of the Server Name Indication (SNI) parameter. |
final void |
setUseCipherSuitesOrder |
Sets whether the local cipher suites preference should be honored. |
void |
setWantClientAuth |
Sets whether client authentication should be requested. |
public SSLParameters()
The values of cipherSuites, protocols, cryptographic algorithm constraints, endpoint identification algorithm, signature schemes, server names and server name matchers are set to null
; useCipherSuitesOrder, wantClientAuth and needClientAuth are set to false
; enableRetransmissions is set to true
; maximum network packet size is set to 0
.
public SSLParameters(String[] cipherSuites)
Calling this constructor is equivalent to calling the no-args constructor followed by setCipherSuites(cipherSuites);
. Note that the standard list of cipher suite names may be found in the JSSE Cipher Suite Names section of the Java Security Standard Algorithm Names Specification. Providers may support cipher suite names not found in this list.
cipherSuites
- the array of ciphersuites (or null)public SSLParameters(String[] cipherSuites, String[] protocols)
Calling this constructor is equivalent to calling the no-args constructor followed by setCipherSuites(cipherSuites); setProtocols(protocols);
. Note that the standard list of cipher suite names may be found in the JSSE Cipher Suite Names section of the Java Security Standard Algorithm Names Specification. Providers may support cipher suite names not found in this list.
cipherSuites
- the array of ciphersuites (or null)protocols
- the array of protocols (or null)public String[] getCipherSuites()
The returned array includes cipher suites from the list of standard cipher suite names in the JSSE Cipher Suite Names section of the Java Security Standard Algorithm Names Specification, and may also include other cipher suites that the provider supports.
public void setCipherSuites(String[] cipherSuites)
cipherSuites
- the array of ciphersuites (or null). Note that the standard list of cipher suite names may be found in the JSSE Cipher Suite Names section of the Java Security Standard Algorithm Names Specification. Providers may support cipher suite names not found in this list or might not use the recommended name for a certain cipher suite.public String[] getProtocols()
public void setProtocols(String[] protocols)
protocols
- the array of protocols (or null)public boolean getWantClientAuth()
public void setWantClientAuth(boolean wantClientAuth)
needClientAuth
flag.wantClientAuth
- whether client authentication should be requestedpublic boolean getNeedClientAuth()
public void setNeedClientAuth(boolean needClientAuth)
wantClientAuth
flag.needClientAuth
- whether client authentication should be requiredpublic AlgorithmConstraints getAlgorithmConstraints()
public void setAlgorithmConstraints(AlgorithmConstraints constraints)
If the constraints
parameter is non-null, every cryptographic algorithm, key and algorithm parameters used in the SSL/TLS/DTLS handshake must be permitted by the constraints.
constraints
- the algorithm constraints (or null)public String getEndpointIdentificationAlgorithm()
public void setEndpointIdentificationAlgorithm(String algorithm)
If the algorithm
parameter is non-null or non-empty, the endpoint identification/verification procedures must be handled during SSL/TLS/DTLS handshaking. This is to prevent man-in-the-middle attacks.
algorithm
- The standard string name of the endpoint identification algorithm (or null). See the Java Security Standard Algorithm Names document for information about standard algorithm names.public final void setServerNames(List<SNIServerName> serverNames)
SNIServerName
s of the Server Name Indication (SNI) parameter. This method is only useful to SSLSocket
s or SSLEngine
s operating in client mode.
Note that the serverNames
list is cloned to protect against subsequent modification.
serverNames
- the list of desired SNIServerName
s (or null)NullPointerException
- if the serverNames
contains null
elementIllegalArgumentException
- if the serverNames
contains more than one name of the same name typepublic final List<SNIServerName> getServerNames()
List
containing all SNIServerName
s of the Server Name Indication (SNI) parameter, or null if none has been set. This method is only useful to SSLSocket
s or SSLEngine
s operating in client mode.
For SSL/TLS/DTLS connections, the underlying SSL/TLS/DTLS provider may specify a default value for a certain server name type. In client mode, it is recommended that, by default, providers should include the server name indication whenever the server can be located by a supported server name type.
It is recommended that providers initialize default Server Name Indications when creating SSLSocket
/SSLEngine
s. In the following examples, the server name may be represented by an instance of SNIHostName
which has been initialized with the hostname "www.example.com" and type StandardConstants.SNI_HOST_NAME
.
Socket socket = sslSocketFactory.createSocket("www.example.com", 443);or
SSLEngine engine = sslContext.createSSLEngine("www.example.com", 443);
SNIServerName
spublic final void setSNIMatchers(Collection<SNIMatcher> matchers)
SNIMatcher
s of the Server Name Indication (SNI) parameter. This method is only useful to SSLSocket
s or SSLEngine
s operating in server mode.
Note that the matchers
collection is cloned to protect against subsequent modification.
matchers
- the collection of SNIMatcher
s (or null)NullPointerException
- if the matchers
contains null
elementIllegalArgumentException
- if the matchers
contains more than one name of the same name typepublic final Collection<SNIMatcher> getSNIMatchers()
Collection
containing all SNIMatcher
s of the Server Name Indication (SNI) parameter, or null if none has been set. This method is only useful to SSLSocket
s or SSLEngine
s operating in server mode.
For better interoperability, providers generally will not define default matchers so that by default servers will ignore the SNI extension and continue the handshake.
SNIMatcher
spublic final void setUseCipherSuitesOrder(boolean honorOrder)
honorOrder
- whether local cipher suites order in #getCipherSuites
should be honored during SSL/TLS/DTLS handshaking.public final boolean getUseCipherSuitesOrder()
#getCipherSuites
should be honored during SSL/TLS/DTLS handshaking.public void setEnableRetransmissions(boolean enableRetransmissions)
enableRetransmissions
- true
indicates that DTLS handshake retransmissions should be enabled; false
indicates that DTLS handshake retransmissions should be disabledpublic boolean getEnableRetransmissions()
public void setMaximumPacketSize(int maximumPacketSize)
maximumPacketSize
- the maximum expected network packet size in bytes, or 0
to use the implicit size that is automatically specified by the underlying implementation.IllegalArgumentException
- if maximumPacketSize
is negative.public int getMaximumPacketSize()
0
so that applications can retrieve the actual implicit size of the underlying implementation. An implementation should attempt to comply with the maximum packet size configuration. However, if the maximum packet size is too small to hold a minimal record, an implementation may try to generate as minimal records as possible. This may cause a generated packet to be larger than the maximum packet size.
0
if use the implicit size that is automatically specified by the underlying implementation and this object has not been populated by any connection.public String[] getApplicationProtocols()
The array could be empty (zero-length), in which case protocol indications will not be used.
This method will return a new array each time it is invoked.
String
s. The array is ordered based on protocol preference, with the first entry being the most preferred.public void setApplicationProtocols(String[] protocols)
If application-layer protocols are supported by the underlying SSL/TLS implementation, this method configures which values can be negotiated by protocols such as RFC 7301 , the Application Layer Protocol Negotiation (ALPN).
If this end of the connection is expected to offer application protocol values, all protocols configured by this method will be sent to the peer.
If this end of the connection is expected to select the application protocol value, the protocols
configured by this method are compared with those sent by the peer. The first matched value becomes the negotiated value. If none of the protocols
were actually requested by the peer, the underlying protocol will determine what action to take. (For example, ALPN will send a "no_application_protocol"
alert and terminate the connection.)
The String
values must be presented using the network byte representation expected by the peer. For example, if an ALPN String
should be exchanged using UTF-8
, the String
should be converted to its byte[]
representation and stored as a byte-oriented String
before calling this method.
// MEETEI MAYEK LETTERS HUK UN I (Unicode 0xabcd->0xabcf): 2 bytes byte[] bytes = "\uabcd\uabce\uabcf" .getBytes(StandardCharsets.UTF_8); String HUK_UN_I = new String(bytes, StandardCharsets.ISO_8859_1); // 0x00-0xFF: 1 byte String rfc7301Grease8A = "\u008A\u008A"; SSLParameters p = sslSocket.getSSLParameters(); p.setApplicationProtocols(new String[] { "h2", "http/1.1", rfc7301Grease8A, HUK_UN_I}); sslSocket.setSSLParameters(p);
protocols
array.protocols
- an ordered array of application protocols, with protocols[0]
being the most preferred. If the array is empty (zero-length), protocol indications will not be used.IllegalArgumentException
- if protocols is null, or if any element in a non-empty array is null or an empty (zero-length) stringpublic String[] getSignatureSchemes()
Note that the standard list of signature scheme names are defined in the Signature Schemes section of the Java Security Standard Algorithm Names Specification. Providers may support signature schemes not defined in this list or may not use the recommended name for a certain signature scheme.
The set of signature schemes that will be used over the SSL/TLS/DTLS connections is determined by the returned array of this method and the underlying provider-specific default signature schemes.
If the returned array is null
, then the underlying provider-specific default signature schemes will be used over the SSL/TLS/DTLS connections.
If the returned array is empty (zero-length), then the signature scheme negotiation mechanism is turned off for SSL/TLS/DTLS protocols, and the connections may not be able to be established if the negotiation mechanism is required by a certain SSL/TLS/DTLS protocol. This parameter will override the underlying provider-specific default signature schemes.
If the returned array is not null
or empty (zero-length), then the signature schemes in the returned array will be used over the SSL/TLS/DTLS connections. This parameter will override the underlying provider-specific default signature schemes.
This method returns the most recent value passed to setSignatureSchemes(java.lang.String[])
if that method has been called and otherwise returns the default signature schemes for connection populated objects, or null
for pre-populated objects.
null
instead of the default signature schemes for connection populated objects.jdk.tls.client.SignatureSchemes
and/or jdk.tls.server.SignatureSchemes
system properties with the SunJSSE provider to override the provider-specific default signature schemes.Strings
or null
if none have been set. For non-null returns, this method will return a new array each time it is invoked. The array is ordered based on signature scheme preference, with the first entry being the most preferred. Providers should ignore unknown signature scheme names while establishing the SSL/TLS/DTLS connections.public void setSignatureSchemes(String[] signatureSchemes)
Note that the standard list of signature scheme names are defined in the Signature Schemes section of the Java Security Standard Algorithm Names Specification. Providers may support signature schemes not defined in this list or may not use the recommended name for a certain signature scheme.
The set of signature schemes that will be used over the SSL/TLS/DTLS connections is determined by the input parameter signatureSchemes
array and the underlying provider-specific default signature schemes. See getSignatureSchemes()
for specific details on how the parameters are used in SSL/TLS/DTLS connections.
signatureSchemes
- an ordered array of signature scheme names with the first entry being the most preferred, or null
. This method will make a copy of this array. Providers should ignore unknown signature scheme names while establishing the SSL/TLS/DTLS connections.IllegalArgumentException
- if any element in the signatureSchemes
array is null
or blank.public String[] getNamedGroups()
Note that the standard list of key exchange named groups are defined in the Named Groups section of the Java Security Standard Algorithm Names Specification. Providers may support named groups not defined in this list or may not use the recommended name for a certain named group.
The set of named groups that will be used over the SSL/TLS/DTLS connections is determined by the returned array of this method and the underlying provider-specific default named groups.
If the returned array is null
, then the underlying provider-specific default named groups will be used over the SSL/TLS/DTLS connections.
If the returned array is empty (zero-length), then the named group negotiation mechanism is turned off for SSL/TLS/DTLS protocols, and the connections may not be able to be established if the negotiation mechanism is required by a certain SSL/TLS/DTLS protocol. This parameter will override the underlying provider-specific default name groups.
If the returned array is not null
or empty (zero-length), then the named groups in the returned array will be used over the SSL/TLS/DTLS connections. This parameter will override the underlying provider-specific default named groups.
This method returns the most recent value passed to setNamedGroups(java.lang.String[])
if that method has been called and otherwise returns the default named groups for connection populated objects, or null
for pre-populated objects.
null
instead of the default named groups for connection populated objects.jdk.tls.namedGroups
system property with the SunJSSE provider to override the provider-specific default named groups.Strings
or null
if none have been set. For non-null returns, this method will return a new array each time it is invoked. The array is ordered based on named group preference, with the first entry being the most preferred. Providers should ignore unknown named group names while establishing the SSL/TLS/DTLS connections.public void setNamedGroups(String[] namedGroups)
Note that the standard list of key exchange named groups are defined in the Named Groups section of the Java Security Standard Algorithm Names Specification. Providers may support named groups not defined in this list or may not use the recommended name for a certain named group.
The set of named groups that will be used over the SSL/TLS/DTLS connections is determined by the input parameter namedGroups
array and the underlying provider-specific default named groups. See getNamedGroups()
for specific details on how the parameters are used in SSL/TLS/DTLS connections.
namedGroups
- an ordered array of key exchange named group names with the first entry being the most preferred, or null
. This method will make a copy of this array. Providers should ignore unknown named group scheme names while establishing the SSL/TLS/DTLS connections.IllegalArgumentException
- if any element in the namedGroups
array is a duplicate, null
or blank.
© 1993, 2023, Oracle and/or its affiliates. All rights reserved.
Documentation extracted from Debian's OpenJDK Development Kit package.
Licensed under the GNU General Public License, version 2, with the Classpath Exception.
Various third party code in OpenJDK is licensed under different licenses (see Debian package).
Java and OpenJDK are trademarks or registered trademarks of Oracle and/or its affiliates.
https://docs.oracle.com/en/java/javase/21/docs/api/java.base/javax/net/ssl/SSLParameters.html