public
abstract
class
SSLEngine
extends Object
java.lang.Object | |
↳ | javax.net.ssl.SSLEngine |
A class which enables secure communications using protocols such as the Secure Sockets Layer (SSL) or IETF RFC 2246 "Transport Layer Security" (TLS) protocols, but is transport independent.
The secure communications modes include:
The cipher suite used is established by a negotiation process called
"handshaking". The goal of this process is to create or rejoin a
"session", which may protect many connections over time. After
handshaking has completed, you can access session attributes by
using the getSession()
method.
The SSLSocket
class provides much of the same security
functionality, but all of the inbound and outbound data is
automatically transported using the underlying Socket
, which by design uses a blocking model.
While this is appropriate for many applications, this model does not
provide the scalability required by large servers.
The primary distinction of an SSLEngine
is that it
operates on inbound and outbound byte streams, independent of the
transport mechanism. It is the responsibility of the
SSLEngine
user to arrange for reliable I/O transport to
the peer. By separating the SSL/TLS abstraction from the I/O
transport mechanism, the SSLEngine
can be used for a
wide variety of I/O types, such as non-blocking I/O (polling)
, selectable non-blocking I/O
, Socket
and the
traditional Input/OutputStreams, local ByteBuffers
or byte arrays, future asynchronous
I/O models , and so on.
At a high level, the SSLEngine
appears thus:
app data | ^ | | | v | | +----+-----|-----+----+ | | | | SSL|Engine | wrap() | | | unwrap() | OUTBOUND | INBOUND | | | | +----+-----|-----+----+ | | ^ | | | v | net dataApplication data (also known as plaintext or cleartext) is data which is produced or consumed by an application. Its counterpart is network data, which consists of either handshaking and/or ciphertext (encrypted) data, and destined to be transported via an I/O mechanism. Inbound data is data which has been received from the peer, and outbound data is destined for the peer.
(In the context of an SSLEngine
, the term "handshake
data" is taken to mean any data exchanged to establish and control a
secure connection. Handshake data includes the SSL/TLS messages
"alert", "change_cipher_spec," and "handshake.")
There are five distinct phases to an SSLEngine
.
SSLEngine
has been created and
initialized, but has not yet been used. During this phase, an
application may set any SSLEngine
-specific settings
(enabled cipher suites, whether the SSLEngine
should
handshake in client or server mode, and so on). Once
handshaking has begun, though, any new settings (except
client/server mode, see below) will be used for
the next handshake.
SSLEngine
. Outbound
application messages are encrypted and integrity protected,
and inbound messages reverse the process.
SSLEngine
configuration settings will not be used until the next
handshake.
SSLEngine
and should
send/receive any remaining messages to the peer before
closing the underlying transport mechanism. Once an engine is
closed, it is not reusable: a new SSLEngine
must
be created.
SSLEngine
is created by calling createSSLEngine()
from an initialized
SSLContext
. Any configuration
parameters should be set before making the first call to
wrap()
, unwrap()
, or
beginHandshake()
. These methods all trigger the
initial handshake.
Data moves through the engine by calling wrap()
or unwrap()
on outbound or inbound data, respectively. Depending on
the state of the SSLEngine
, a wrap()
call
may consume application data from the source buffer and may produce
network data in the destination buffer. The outbound data
may contain application and/or handshake data. A call to
unwrap()
will examine the source buffer and may
advance the handshake if the data is handshaking information, or
may place application data in the destination buffer if the data
is application. The state of the underlying SSL/TLS algorithm
will determine when data is consumed and produced.
Calls to wrap()
and unwrap()
return an
SSLEngineResult
which indicates the status of the
operation, and (optionally) how to interact with the engine to make
progress.
The SSLEngine
produces/consumes complete SSL/TLS
packets only, and does not store application data internally between
calls to wrap()/unwrap()
. Thus input and output
ByteBuffer
s must be sized appropriately to hold the
maximum record that can be produced. Calls to getPacketBufferSize()
and getApplicationBufferSize()
should be used to determine
the appropriate buffer sizes. The size of the outbound application
data buffer generally does not matter. If buffer conditions do not
allow for the proper consumption/production of data, the application
must determine (via SSLEngineResult
) and correct the
problem, and then try the call again.
For example, unwrap()
will return a BUFFER_OVERFLOW
result if the engine
determines that there is not enough destination buffer space available.
Applications should call getApplicationBufferSize()
and compare that value with the space available in the destination buffer,
enlarging the buffer if necessary. Similarly, if unwrap()
were to return a BUFFER_UNDERFLOW
, the
application should call getPacketBufferSize()
to ensure
that the source buffer has enough room to hold a record (enlarging if
necessary), and then obtain more inbound data.
SSLEngineResult r = engine.unwrap(src, dst); switch (r.getStatus()) { BUFFER_OVERFLOW: // Could attempt to drain the dst buffer of any already obtained // data, but we'll just increase it to the size needed. int appSize = engine.getSession().getApplicationBufferSize(); ByteBuffer b = ByteBuffer.allocate(appSize + dst.position()); dst.flip(); b.put(dst); dst = b; // retry the operation. break; BUFFER_UNDERFLOW: int netSize = engine.getSession().getPacketBufferSize(); // Resize buffer if needed. if (netSize > dst.capacity()) { ByteBuffer b = ByteBuffer.allocate(netSize); src.flip(); b.put(src); src = b; } // Obtain more inbound network data for src, // then retry the operation. break; // other cases: CLOSED, OK. }
Unlike SSLSocket
, all methods of SSLEngine are
non-blocking. SSLEngine
implementations may
require the results of tasks that may take an extended period of
time to complete, or may even block. For example, a TrustManager
may need to connect to a remote certificate validation service,
or a KeyManager might need to prompt a user to determine which
certificate to use as part of client authentication. Additionally,
creating cryptographic signatures and verifying them can be slow,
seemingly blocking.
For any operation which may potentially block, the
SSLEngine
will create a Runnable
delegated task. When SSLEngineResult
indicates that a
delegated task result is needed, the application must call getDelegatedTask()
to obtain an outstanding delegated task and
call its run()
method (possibly using
a different thread depending on the compute strategy). The
application should continue obtaining delegated tasks until no more
exist, and try the original operation again.
At the end of a communication session, applications should properly
close the SSL/TLS link. The SSL/TLS protocols have closure handshake
messages, and these messages should be communicated to the peer
before releasing the SSLEngine
and closing the
underlying transport mechanism. A close can be initiated by one of:
an SSLException, an inbound closure handshake message, or one of the
close methods. In all cases, closure handshake messages are
generated by the engine, and wrap()
should be repeatedly
called until the resulting SSLEngineResult
's status
returns "CLOSED", or isOutboundDone()
returns true. All
data obtained from the wrap()
method should be sent to the
peer.
closeOutbound()
is used to signal the engine that the
application will not be sending any more data.
A peer will signal its intent to close by sending its own closure
handshake message. After this message has been received and
processed by the local SSLEngine
's unwrap()
call, the application can detect the close by calling
unwrap()
and looking for a SSLEngineResult
with status "CLOSED", or if isInboundDone()
returns true.
If for some reason the peer closes the communication link without
sending the proper SSL/TLS closure message, the application can
detect the end-of-stream and can signal the engine via closeInbound()
that there will no more inbound messages to
process. Some applications might choose to require orderly shutdown
messages from a peer, in which case they can check that the closure
was generated by a handshake message and not by an end-of-stream
condition.
There are two groups of cipher suites which you will need to know about when managing cipher suites:
getSupportedCipherSuites()
.
setEnabledCipherSuites(String[])
method, and
queried using the getEnabledCipherSuites()
method.
Initially, a default set of cipher suites will be enabled on a
new engine that represents the minimum suggested
configuration.
Each SSL/TLS connection must have one client and one server, thus
each endpoint must decide which role to assume. This choice determines
who begins the handshaking process as well as which type of messages
should be sent by each party. The method setUseClientMode(boolean)
configures the mode. Once the initial
handshaking has started, an SSLEngine
can not switch
between client and server modes, even when performing renegotiations.
Applications might choose to process delegated tasks in different
threads. When an SSLEngine
is created, the current AccessControlContext
is saved. All future delegated tasks will be processed using this
context: that is, all access control decisions will be made using the
context captured at engine creation.
wrap()
and unwrap()
methods
may execute concurrently of each other.
For example:
synchronized (outboundLock) { sslEngine.wrap(src, dst); outboundQueue.put(dst); }As a corollary, two threads must not attempt to call the same method (either
wrap()
or unwrap()
) concurrently,
because there is no way to guarantee the eventual packet ordering.
SSLEngine
instances obtained from default SSLContext
are configured as
follows:
Protocol | Supported (API Levels) | Enabled by default (API Levels) |
---|---|---|
SSLv3 | 1+ | 1–22 |
TLSv1 | 1+ | 1+ |
TLSv1.1 | 20+ | 20+ |
TLSv1.2 | 20+ | 20+ |
Cipher suite | Supported (API Levels) | Enabled by default (API Levels) |
---|---|---|
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA | 9–22 | 9–19 |
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA | 9–22 | 9–19 |
SSL_DHE_DSS_WITH_DES_CBC_SHA | 9–22 | 9–19 |
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA | 9–22 | 9–19 |
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA | 9–22 | 9–19 |
SSL_DHE_RSA_WITH_DES_CBC_SHA | 9–22 | 9–19 |
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA | 9–22 | |
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 | 9–22 | |
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA | 9–22 | |
SSL_DH_anon_WITH_DES_CBC_SHA | 9–22 | |
SSL_DH_anon_WITH_RC4_128_MD5 | 9–22 | |
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA | 9–22 | 9–19 |
SSL_RSA_EXPORT_WITH_RC4_40_MD5 | 9–22 | 9–19 |
SSL_RSA_WITH_3DES_EDE_CBC_SHA | 9+ | 9–19 |
SSL_RSA_WITH_DES_CBC_SHA | 9–22 | 9–19 |
SSL_RSA_WITH_NULL_MD5 | 9–22 | |
SSL_RSA_WITH_NULL_SHA | 9–22 | |
SSL_RSA_WITH_RC4_128_MD5 | 9+ | 9–19 |
SSL_RSA_WITH_RC4_128_SHA | 9+ | 9–23 |
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA | 1–8 | 1–8 |
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA | 1–8 | 1–8 |
TLS_DHE_DSS_WITH_AES_128_CBC_SHA | 9–22 | 9–22 |
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 | 20–22 | |
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 | 20–22 | |
TLS_DHE_DSS_WITH_AES_256_CBC_SHA | 9–22 | 20–22 |
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 | 20–22 | |
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 | 20–22 | |
TLS_DHE_DSS_WITH_DES_CBC_SHA | 1–8 | 1–8 |
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA | 1–8 | 1–8 |
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA | 1–8 | 1–8 |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA | 9+ | 9+ |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 | 20+ | |
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | 20+ | 20+ |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA | 9+ | 20+ |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 | 20+ | |
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | 20+ | 20+ |
TLS_DHE_RSA_WITH_DES_CBC_SHA | 1–8 | 1–8 |
TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA | 1–8 | |
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA | 1–8 | |
TLS_DH_DSS_WITH_DES_CBC_SHA | 1–8 | |
TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA | 1–8 | |
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA | 1–8 | |
TLS_DH_RSA_WITH_DES_CBC_SHA | 1–8 | |
TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA | 1–8 | |
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA | 1–8 | |
TLS_DH_anon_WITH_AES_128_CBC_SHA | 9–22 | |
TLS_DH_anon_WITH_AES_128_CBC_SHA256 | 20–22 | |
TLS_DH_anon_WITH_AES_128_GCM_SHA256 | 20–22 | |
TLS_DH_anon_WITH_AES_256_CBC_SHA | 9–22 | |
TLS_DH_anon_WITH_AES_256_CBC_SHA256 | 20–22 | |
TLS_DH_anon_WITH_AES_256_GCM_SHA384 | 20–22 | |
TLS_DH_anon_WITH_DES_CBC_SHA | 1–8 | |
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA | 20–22 | |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | 20+ | 20+ |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | 20+ | |
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | 20+ | 20+ |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA | 20+ | 20+ |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | 20+ | |
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | 20+ | 20+ |
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 | 24+ | 24+ |
TLS_ECDHE_ECDSA_WITH_NULL_SHA | 20–22 | |
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA | 20+ | 20–23 |
TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA | 21+ | 21+ |
TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA | 21+ | 21+ |
TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 | 24+ | 24+ |
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA | 20–22 | |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | 20+ | 20+ |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | 20+ | |
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | 20+ | 20+ |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | 20+ | 20+ |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | 20+ | |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | 20+ | 20+ |
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | 24+ | 24+ |
TLS_ECDHE_RSA_WITH_NULL_SHA | 20–22 | |
TLS_ECDHE_RSA_WITH_RC4_128_SHA | 20+ | 20–23 |
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA | 20–22 | |
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA | 20–22 | |
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 | 20–22 | |
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 | 20–22 | |
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA | 20–22 | |
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 | 20–22 | |
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 | 20–22 | |
TLS_ECDH_ECDSA_WITH_NULL_SHA | 20–22 | |
TLS_ECDH_ECDSA_WITH_RC4_128_SHA | 20–22 | |
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA | 20–22 | |
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA | 20–22 | |
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 | 20–22 | |
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 | 20–22 | |
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA | 20–22 | |
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 | 20–22 | |
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 | 20–22 | |
TLS_ECDH_RSA_WITH_NULL_SHA | 20–22 | |
TLS_ECDH_RSA_WITH_RC4_128_SHA | 20–22 | |
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA | 20–22 | |
TLS_ECDH_anon_WITH_AES_128_CBC_SHA | 20–22 | |
TLS_ECDH_anon_WITH_AES_256_CBC_SHA | 20–22 | |
TLS_ECDH_anon_WITH_NULL_SHA | 20–22 | |
TLS_ECDH_anon_WITH_RC4_128_SHA | 20–22 | |
TLS_EMPTY_RENEGOTIATION_INFO_SCSV | 20+ | 20+ |
TLS_FALLBACK_SCSV | 21+ | |
TLS_NULL_WITH_NULL_NULL | 1–8 | |
TLS_PSK_WITH_3DES_EDE_CBC_SHA | 21–22 | |
TLS_PSK_WITH_AES_128_CBC_SHA | 21+ | 21+ |
TLS_PSK_WITH_AES_256_CBC_SHA | 21+ | 21+ |
TLS_PSK_WITH_RC4_128_SHA | 21+ | |
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA | 1–8 | 1–8 |
TLS_RSA_WITH_3DES_EDE_CBC_SHA | 1–8 | 1–8 |
TLS_RSA_WITH_AES_128_CBC_SHA | 9+ | 9+ |
TLS_RSA_WITH_AES_128_CBC_SHA256 | 20+ | |
TLS_RSA_WITH_AES_128_GCM_SHA256 | 20+ | 20+ |
TLS_RSA_WITH_AES_256_CBC_SHA | 9+ | 20+ |
TLS_RSA_WITH_AES_256_CBC_SHA256 | 20+ | |
TLS_RSA_WITH_AES_256_GCM_SHA384 | 20+ | 20+ |
TLS_RSA_WITH_DES_CBC_SHA | 1–8 | 1–8 |
TLS_RSA_WITH_NULL_MD5 | 1–8 | |
TLS_RSA_WITH_NULL_SHA | 1–8 | |
TLS_RSA_WITH_NULL_SHA256 | 20–22 |
NOTE: PSK cipher suites are enabled by default only if the SSLContext
through
which the engine was created has been initialized with a PSKKeyManager
.
Protected constructors | |
---|---|
SSLEngine()
Constructor for an |
|
SSLEngine(String peerHost, int peerPort)
Constructor for an |
Public methods | |
---|---|
abstract
void
|
beginHandshake()
Initiates handshaking (initial or renegotiation) on this SSLEngine. |
abstract
void
|
closeInbound()
Signals that no more inbound network data will be sent
to this |
abstract
void
|
closeOutbound()
Signals that no more outbound application data will be sent
on this |
abstract
Runnable
|
getDelegatedTask()
Returns a delegated |
abstract
boolean
|
getEnableSessionCreation()
Returns true if new SSL sessions may be established by this engine. |
abstract
String[]
|
getEnabledCipherSuites()
Returns the names of the SSL cipher suites which are currently enabled for use on this engine. |
abstract
String[]
|
getEnabledProtocols()
Returns the names of the protocol versions which are currently
enabled for use with this |
SSLSession
|
getHandshakeSession()
Returns the |
abstract
SSLEngineResult.HandshakeStatus
|
getHandshakeStatus()
Returns the current handshake status for this |
abstract
boolean
|
getNeedClientAuth()
Returns true if the engine will require client authentication. |
String
|
getPeerHost()
Returns the host name of the peer. |
int
|
getPeerPort()
Returns the port number of the peer. |
SSLParameters
|
getSSLParameters()
Returns the SSLParameters in effect for this SSLEngine. |
abstract
SSLSession
|
getSession()
Returns the |
abstract
String[]
|
getSupportedCipherSuites()
Returns the names of the cipher suites which could be enabled for use on this engine. |
abstract
String[]
|
getSupportedProtocols()
Returns the names of the protocols which could be enabled for use
with this |
abstract
boolean
|
getUseClientMode()
Returns true if the engine is set to use client mode when handshaking. |
abstract
boolean
|
getWantClientAuth()
Returns true if the engine will request client authentication. |
abstract
boolean
|
isInboundDone()
Returns whether |
abstract
boolean
|
isOutboundDone()
Returns whether |
abstract
void
|
setEnableSessionCreation(boolean flag)
Controls whether new SSL sessions may be established by this engine. |
abstract
void
|
setEnabledCipherSuites(String[] suites)
Sets the cipher suites enabled for use on this engine. |
abstract
void
|
setEnabledProtocols(String[] protocols)
Set the protocol versions enabled for use on this engine. |
abstract
void
|
setNeedClientAuth(boolean need)
Configures the engine to require client authentication. |
void
|
setSSLParameters(SSLParameters params)
Applies SSLParameters to this engine. |
abstract
void
|
setUseClientMode(boolean mode)
Configures the engine to use client (or server) mode when handshaking. |
abstract
void
|
setWantClientAuth(boolean want)
Configures the engine to request client authentication. |
SSLEngineResult
|
unwrap(ByteBuffer src, ByteBuffer[] dsts)
Attempts to decode SSL/TLS network data into a sequence of plaintext application data buffers. |
SSLEngineResult
|
unwrap(ByteBuffer src, ByteBuffer dst)
Attempts to decode SSL/TLS network data into a plaintext application data buffer. |
abstract
SSLEngineResult
|
unwrap(ByteBuffer src, ByteBuffer[] dsts, int offset, int length)
Attempts to decode SSL/TLS network data into a subsequence of plaintext application data buffers. |
SSLEngineResult
|
wrap(ByteBuffer[] srcs, ByteBuffer dst)
Attempts to encode plaintext bytes from a sequence of data buffers into SSL/TLS network data. |
SSLEngineResult
|
wrap(ByteBuffer src, ByteBuffer dst)
Attempts to encode a buffer of plaintext application data into SSL/TLS network data. |
abstract
SSLEngineResult
|
wrap(ByteBuffer[] srcs, int offset, int length, ByteBuffer dst)
Attempts to encode plaintext bytes from a subsequence of data buffers into SSL/TLS network data. |
Inherited methods | |
---|---|
From
class
java.lang.Object
|
SSLEngine ()
Constructor for an SSLEngine
providing no hints
for an internal session reuse strategy.
See also:
SSLEngine (String peerHost, int peerPort)
Constructor for an SSLEngine
.
SSLEngine
implementations may use the
peerHost
and peerPort
parameters as hints
for their internal session reuse strategy.
Some cipher suites (such as Kerberos) require remote hostname information. Implementations of this class should use this constructor to use Kerberos.
The parameters are not authenticated by the
SSLEngine
.
Parameters | |
---|---|
peerHost |
String :
the name of the peer host |
peerPort |
int :
the port number of the peer |
void beginHandshake ()
Initiates handshaking (initial or renegotiation) on this SSLEngine.
This method is not needed for the initial handshake, as the
wrap()
and unwrap()
methods will
implicitly call this method if handshaking has not already begun.
Note that the peer may also request a session renegotiation with
this SSLEngine
by sending the appropriate
session renegotiate handshake message.
Unlike the SSLSocket#startHandshake()
method, this method does not block
until handshaking is completed.
To force a complete SSL/TLS session renegotiation, the current session should be invalidated prior to calling this method.
Some protocols may not support multiple handshakes on an existing
engine and may throw an SSLException
.
Throws | |
---|---|
SSLException |
if a problem was encountered while signaling the
SSLEngine to begin a new handshake.
See the class description for more information on
engine closure. |
IllegalStateException |
if the client/server mode has not yet been set. |
See also:
void closeInbound ()
Signals that no more inbound network data will be sent
to this SSLEngine
.
If the application initiated the closing process by calling
closeOutbound()
, under some circumstances it is not
required that the initiator wait for the peer's corresponding
close message. (See section 7.2.1 of the TLS specification (RFC 2246) for more
information on waiting for closure alerts.) In such cases, this
method need not be called.
But if the application did not initiate the closure process, or if the circumstances above do not apply, this method should be called whenever the end of the SSL/TLS data stream is reached. This ensures closure of the inbound side, and checks that the peer followed the SSL/TLS close procedure properly, thus detecting possible truncation attacks.
This method is idempotent: if the inbound side has already been closed, this method does not do anything.
wrap()
should be
called to flush any remaining handshake data.
Throws | |
---|---|
SSLException |
if this engine has not received the proper SSL/TLS close notification message from the peer. |
See also:
void closeOutbound ()
Signals that no more outbound application data will be sent
on this SSLEngine
.
This method is idempotent: if the outbound side has already been closed, this method does not do anything.
wrap(ByteBuffer, ByteBuffer)
should be
called to flush any remaining handshake data.
See also:
Runnable getDelegatedTask ()
Returns a delegated Runnable
task for
this SSLEngine
.
SSLEngine
operations may require the results of
operations that block, or may take an extended period of time to
complete. This method is used to obtain an outstanding Runnable
operation (task). Each task must be assigned
a thread (possibly the current) to perform the run
operation. Once the
run
method returns, the Runnable
object
is no longer needed and may be discarded.
Delegated tasks run in the AccessControlContext
in place when this object was created.
A call to this method will return each outstanding task exactly once.
Multiple delegated tasks can be run in parallel.
Returns | |
---|---|
Runnable |
a delegated Runnable task, or null
if none are available.
|
boolean getEnableSessionCreation ()
Returns true if new SSL sessions may be established by this engine.
Returns | |
---|---|
boolean |
true indicates that sessions may be created; this is the default. false indicates that an existing session must be resumed |
See also:
String[] getEnabledCipherSuites ()
Returns the names of the SSL cipher suites which are currently enabled for use on this engine. When an SSLEngine is first created, all enabled cipher suites support a minimum quality of service. Thus, in some environments this value might be empty.
Even if a suite has been enabled, it might never be used. (For example, the peer does not support it, the requisite certificates/private keys for the suite are not available, or an anonymous suite is enabled but authentication is required.)
Returns | |
---|---|
String[] |
an array of cipher suite names |
String[] getEnabledProtocols ()
Returns the names of the protocol versions which are currently
enabled for use with this SSLEngine
.
Returns | |
---|---|
String[] |
an array of protocols |
See also:
SSLSession getHandshakeSession ()
Returns the SSLSession
being constructed during a SSL/TLS
handshake.
TLS protocols may negotiate parameters that are needed when using
an instance of this class, but before the SSLSession
has
been completely initialized and made available via getSession
.
For example, the list of valid signature algorithms may restrict
the type of certificates that can used during TrustManager
decisions, or the maximum TLS fragment packet sizes can be
resized to better support the network environment.
This method provides early access to the SSLSession
being
constructed. Depending on how far the handshake has progressed,
some data may not yet be available for use. For example, if a
remote server will be sending a Certificate chain, but that chain
has yet not been processed, the getPeerCertificates
method of SSLSession
will throw a
SSLPeerUnverifiedException. Once that chain has been processed,
getPeerCertificates
will return the proper value.
Returns | |
---|---|
SSLSession |
null if this instance is not currently handshaking, or
if the current handshake has not progressed far enough to
create a basic SSLSession. Otherwise, this method returns the
SSLSession currently being negotiated. |
Throws | |
---|---|
UnsupportedOperationException |
if the underlying provider does not implement the operation. |
SSLEngineResult.HandshakeStatus getHandshakeStatus ()
Returns the current handshake status for this SSLEngine
.
Returns | |
---|---|
SSLEngineResult.HandshakeStatus |
the current SSLEngineResult.HandshakeStatus .
|
boolean getNeedClientAuth ()
Returns true if the engine will require client authentication. This option is only useful to engines in the server mode.
Returns | |
---|---|
boolean |
true if client authentication is required, or false if no client authentication is desired. |
String getPeerHost ()
Returns the host name of the peer.
Note that the value is not authenticated, and should not be relied upon.
Returns | |
---|---|
String |
the host name of the peer, or null if nothing is available. |
int getPeerPort ()
Returns the port number of the peer.
Note that the value is not authenticated, and should not be relied upon.
Returns | |
---|---|
int |
the port number of the peer, or -1 if nothing is available. |
SSLParameters getSSLParameters ()
Returns the SSLParameters in effect for this SSLEngine. The ciphersuites and protocols of the returned SSLParameters are always non-null.
Returns | |
---|---|
SSLParameters |
the SSLParameters in effect for this SSLEngine. |
SSLSession getSession ()
Returns the SSLSession
in use in this
SSLEngine
.
These can be long lived, and frequently correspond to an entire login session for some user. The session specifies a particular cipher suite which is being actively used by all connections in that session, as well as the identities of the session's client and server.
Unlike getSession()
this method does not block until handshaking is complete.
Until the initial handshake has completed, this method returns a session object which reports an invalid cipher suite of "SSL_NULL_WITH_NULL_NULL".
Returns | |
---|---|
SSLSession |
the SSLSession for this SSLEngine |
See also:
String[] getSupportedCipherSuites ()
Returns the names of the cipher suites which could be enabled for use on this engine. Normally, only a subset of these will actually be enabled by default, since this list may include cipher suites which do not meet quality of service requirements for those defaults. Such cipher suites might be useful in specialized applications.
Returns | |
---|---|
String[] |
an array of cipher suite names |
String[] getSupportedProtocols ()
Returns the names of the protocols which could be enabled for use
with this SSLEngine
.
Returns | |
---|---|
String[] |
an array of protocols supported |
boolean getUseClientMode ()
Returns true if the engine is set to use client mode when handshaking.
Returns | |
---|---|
boolean |
true if the engine should do handshaking in "client" mode |
See also:
boolean getWantClientAuth ()
Returns true if the engine will request client authentication. This option is only useful for engines in the server mode.
Returns | |
---|---|
boolean |
true if client authentication is requested, or false if no client authentication is desired. |
boolean isInboundDone ()
Returns whether unwrap(ByteBuffer, ByteBuffer)
will
accept any more inbound data messages.
Returns | |
---|---|
boolean |
true if the SSLEngine will not
consume anymore network data (and by implication,
will not produce any more application data.) |
See also:
boolean isOutboundDone ()
Returns whether wrap(ByteBuffer, ByteBuffer)
will
produce any more outbound data messages.
Note that during the closure phase, a SSLEngine
may
generate handshake closure data that must be sent to the peer.
wrap()
must be called to generate this data. When
this method returns true, no more outbound data will be created.
Returns | |
---|---|
boolean |
true if the SSLEngine will not produce
any more network data |
See also:
void setEnableSessionCreation (boolean flag)
Controls whether new SSL sessions may be established by this engine. If session creations are not allowed, and there are no existing sessions to resume, there will be no successful handshaking.
Parameters | |
---|---|
flag |
boolean :
true indicates that sessions may be created; this
is the default. false indicates that an existing session
must be resumed |
See also:
void setEnabledCipherSuites (String[] suites)
Sets the cipher suites enabled for use on this engine.
Each cipher suite in the suites
parameter must have
been listed by getSupportedCipherSuites(), or the method will
fail. Following a successful call to this method, only suites
listed in the suites
parameter are enabled for use.
See getEnabledCipherSuites()
for more information
on why a specific cipher suite may never be used on a engine.
Parameters | |
---|---|
suites |
String :
Names of all the cipher suites to enable |
Throws | |
---|---|
IllegalArgumentException |
when one or more of the ciphers named by the parameter is not supported, or when the parameter is null. |
void setEnabledProtocols (String[] protocols)
Set the protocol versions enabled for use on this engine.
The protocols must have been listed by getSupportedProtocols()
as being supported. Following a successful call to this method,
only protocols listed in the protocols
parameter
are enabled for use.
Parameters | |
---|---|
protocols |
String :
Names of all the protocols to enable. |
Throws | |
---|---|
IllegalArgumentException |
when one or more of the protocols named by the parameter is not supported or when the protocols parameter is null. |
See also:
void setNeedClientAuth (boolean need)
Configures the engine to require client authentication. This option is only useful for engines in the server mode.
An engine's client authentication setting is one of the following:
Unlike setWantClientAuth(boolean)
, if this option is set and
the client chooses not to provide authentication information
about itself, the negotiations will stop and the engine will
begin its closure procedure.
Calling this method overrides any previous setting made by
this method or setWantClientAuth(boolean)
.
Parameters | |
---|---|
need |
boolean :
set to true if client authentication is required,
or false if no client authentication is desired. |
void setSSLParameters (SSLParameters params)
Applies SSLParameters to this engine.
This means:
params.getCipherSuites()
is non-null,
setEnabledCipherSuites()
is called with that value
params.getProtocols()
is non-null,
setEnabledProtocols()
is called with that value
params.getNeedClientAuth()
or
params.getWantClientAuth()
return true
,
setNeedClientAuth(true)
and
setWantClientAuth(true)
are called, respectively;
otherwise setWantClientAuth(false)
is called.
Parameters | |
---|---|
params |
SSLParameters :
the parameters |
Throws | |
---|---|
IllegalArgumentException |
if the setEnabledCipherSuites() or the setEnabledProtocols() call fails |
void setUseClientMode (boolean mode)
Configures the engine to use client (or server) mode when handshaking.
This method must be called before any handshaking occurs. Once handshaking has begun, the mode can not be reset for the life of this engine.
Servers normally authenticate themselves, and clients are not required to do so.
Parameters | |
---|---|
mode |
boolean :
true if the engine should start its handshaking
in "client" mode |
Throws | |
---|---|
IllegalArgumentException |
if a mode change is attempted after the initial handshake has begun. |
See also:
void setWantClientAuth (boolean want)
Configures the engine to request client authentication. This option is only useful for engines in the server mode.
An engine's client authentication setting is one of the following:
Unlike setNeedClientAuth(boolean)
, if this option is set and
the client chooses not to provide authentication information
about itself, the negotiations will continue.
Calling this method overrides any previous setting made by
this method or setNeedClientAuth(boolean)
.
Parameters | |
---|---|
want |
boolean :
set to true if client authentication is requested,
or false if no client authentication is desired. |
SSLEngineResult unwrap (ByteBuffer src, ByteBuffer[] dsts)
Attempts to decode SSL/TLS network data into a sequence of plaintext application data buffers.
An invocation of this method behaves in exactly the same manner as the invocation:
engine.unwrap(src, dsts, 0, dsts.length);
Parameters src
ByteBuffer
: aByteBuffer
containing inbound network data.dsts
ByteBuffer
: an array ofByteBuffer
s to hold inbound application data.
Returns SSLEngineResult
an SSLEngineResult
describing the result of this operation.
Throws SSLException
A problem was encountered while processing the data that caused the SSLEngine
to abort. See the class description for more information on engine closure.ReadOnlyBufferException
if any of the dst
buffers are read-only.IllegalArgumentException
if either src
ordsts
is null, or if any element indsts
is null.IllegalStateException
if the client/server mode has not yet been set.
SSLEngineResult unwrap (ByteBuffer src, ByteBuffer dst)
Attempts to decode SSL/TLS network data into a plaintext application data buffer.
An invocation of this method behaves in exactly the same manner as the invocation:
engine.unwrap(src, new ByteBuffer [] { dst }, 0, 1);
Parameters src
ByteBuffer
: aByteBuffer
containing inbound network data.dst
ByteBuffer
: aByteBuffer
to hold inbound application data.
Returns SSLEngineResult
an SSLEngineResult
describing the result of this operation.
Throws SSLException
A problem was encountered while processing the data that caused the SSLEngine
to abort. See the class description for more information on engine closure.ReadOnlyBufferException
if the dst
buffer is read-only.IllegalArgumentException
if either src
ordst
is null.IllegalStateException
if the client/server mode has not yet been set.
SSLEngineResult unwrap (ByteBuffer src, ByteBuffer[] dsts, int offset, int length)
Attempts to decode SSL/TLS network data into a subsequence of
plaintext application data buffers. This "scattering"
operation decodes, in a single invocation, a sequence of bytes
into one or more of a given sequence of buffers. Scattering
unwraps are often useful when implementing network protocols or
file formats that, for example, group data into segments
consisting of one or more fixed-length headers followed by a
variable-length body. See
ScatteringByteChannel
for more
information on scattering, and read(ByteBuffer[], int, int)
for more information on the subsequence
behavior.
Depending on the state of the SSLEngine, this method may consume network data without producing any application data (for example, it may consume handshake data.)
The application is responsible for reliably obtaining the network data from the peer, and for invoking unwrap() on the data in the order it was received. The application must properly synchronize multiple calls to this method.
If this SSLEngine
has not yet started its initial
handshake, this method will automatically start the handshake.
This method will attempt to consume one complete SSL/TLS network
packet, but will never consume more than the sum of the bytes
remaining in the buffers. Each ByteBuffer
's
position is updated to reflect the amount of data consumed or
produced. The limits remain the same.
The underlying memory used by the src
and
dsts ByteBuffer
s must not be the same.
The inbound network buffer may be modified as a result of this call: therefore if the network data packet is required for some secondary purpose, the data should be duplicated before calling this method. Note: the network data will not be useful to a second SSLEngine, as each SSLEngine contains unique random state which influences the SSL/TLS messages.
See the class description for more information on engine closure.
Parameters | |
---|---|
src |
ByteBuffer :
a ByteBuffer containing inbound network data. |
dsts |
ByteBuffer :
an array of ByteBuffer s to hold inbound
application data. |
offset |
int :
The offset within the buffer array of the first buffer from
which bytes are to be transferred; it must be non-negative
and no larger than dsts.length . |
length |
int :
The maximum number of buffers to be accessed; it must be
non-negative and no larger than
dsts.length - offset . |
Returns | |
---|---|
SSLEngineResult |
an SSLEngineResult describing the result
of this operation. |
Throws | |
---|---|
SSLException |
A problem was encountered while processing the
data that caused the SSLEngine to abort.
See the class description for more information on
engine closure. |
IndexOutOfBoundsException |
If the preconditions on the offset and
length parameters do not hold. |
ReadOnlyBufferException |
if any of the dst buffers are read-only. |
IllegalArgumentException |
if either src or dsts
is null, or if any element in the dsts
subsequence specified is null. |
IllegalStateException |
if the client/server mode has not yet been set. |
SSLEngineResult wrap (ByteBuffer[] srcs, ByteBuffer dst)
Attempts to encode plaintext bytes from a sequence of data buffers into SSL/TLS network data.
An invocation of this method behaves in exactly the same manner as the invocation:
engine.wrap(srcs, 0, srcs.length, dst);
Parameters srcs
ByteBuffer
: an array ofByteBuffers
containing the outbound application datadst
ByteBuffer
: aByteBuffer
to hold outbound network data
Returns SSLEngineResult
an SSLEngineResult
describing the result of this operation.
Throws SSLException
A problem was encountered while processing the data that caused the SSLEngine
to abort. See the class description for more information on engine closure.ReadOnlyBufferException
if the dst
buffer is read-only.IllegalArgumentException
if either srcs
ordst
is null, or if any element insrcs
is null.IllegalStateException
if the client/server mode has not yet been set. See also:
SSLEngineResult wrap (ByteBuffer src, ByteBuffer dst)
Attempts to encode a buffer of plaintext application data into SSL/TLS network data.
An invocation of this method behaves in exactly the same manner as the invocation:
engine.wrap(new ByteBuffer [] { src }, 0, 1, dst);
Parameters src
ByteBuffer
: aByteBuffer
containing outbound application datadst
ByteBuffer
: aByteBuffer
to hold outbound network data
Returns SSLEngineResult
an SSLEngineResult
describing the result of this operation.
Throws SSLException
A problem was encountered while processing the data that caused the SSLEngine
to abort. See the class description for more information on engine closure.ReadOnlyBufferException
if the dst
buffer is read-only.IllegalArgumentException
if either src
ordst
is null.IllegalStateException
if the client/server mode has not yet been set. See also:
SSLEngineResult wrap (ByteBuffer[] srcs, int offset, int length, ByteBuffer dst)
Attempts to encode plaintext bytes from a subsequence of data
buffers into SSL/TLS network data. This "gathering"
operation encodes, in a single invocation, a sequence of bytes
from one or more of a given sequence of buffers. Gathering
wraps are often useful when implementing network protocols or
file formats that, for example, group data into segments
consisting of one or more fixed-length headers followed by a
variable-length body. See
GatheringByteChannel
for more
information on gathering, and write(ByteBuffer[], int, int)
for more information on the subsequence
behavior.
Depending on the state of the SSLEngine, this method may produce network data without consuming any application data (for example, it may generate handshake data.)
The application is responsible for reliably transporting the network data to the peer, and for ensuring that data created by multiple calls to wrap() is transported in the same order in which it was generated. The application must properly synchronize multiple calls to this method.
If this SSLEngine
has not yet started its initial
handshake, this method will automatically start the handshake.
This method will attempt to produce one SSL/TLS packet, and will
consume as much source data as possible, but will never consume
more than the sum of the bytes remaining in each buffer. Each
ByteBuffer
's position is updated to reflect the
amount of data consumed or produced. The limits remain the
same.
The underlying memory used by the srcs
and
dst ByteBuffer
s must not be the same.
See the class description for more information on engine closure.
Parameters | |
---|---|
srcs |
ByteBuffer :
an array of ByteBuffers containing the
outbound application data |
offset |
int :
The offset within the buffer array of the first buffer from
which bytes are to be retrieved; it must be non-negative
and no larger than srcs.length |
length |
int :
The maximum number of buffers to be accessed; it must be
non-negative and no larger than
srcs.length - offset |
dst |
ByteBuffer :
a ByteBuffer to hold outbound network data |
Returns | |
---|---|
SSLEngineResult |
an SSLEngineResult describing the result
of this operation. |
Throws | |
---|---|
SSLException |
A problem was encountered while processing the
data that caused the SSLEngine to abort.
See the class description for more information on
engine closure. |
IndexOutOfBoundsException |
if the preconditions on the offset and
length parameters do not hold. |
ReadOnlyBufferException |
if the dst buffer is read-only. |
IllegalArgumentException |
if either srcs or dst
is null, or if any element in the srcs
subsequence specified is null. |
IllegalStateException |
if the client/server mode has not yet been set. |