/*
 * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.  Oracle designates this
 * particular file as subject to the "Classpath" exception as provided
 * by Oracle in the LICENSE file that accompanied this code.
 *
 * This code is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * version 2 for more details (a copy is included in the LICENSE file that
 * accompanied this code).
 *
 * You should have received a copy of the GNU General Public License version
 * 2 along with this work; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 * or visit www.oracle.com if you need additional information or have any
 * questions.
 */

package javax.net.ssl;

import java.security.AlgorithmConstraints;
import java.util.Map;
import java.util.List;
import java.util.HashMap;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.LinkedHashMap;

Encapsulates parameters for an SSL/TLS/DTLS connection. The parameters are the list of ciphersuites to be accepted in an SSL/TLS/DTLS handshake, the list of protocols to be allowed, the endpoint identification algorithm during SSL/TLS/DTLS handshaking, the Server Name Indication (SNI), the maximum network packet size, the algorithm constraints and whether SSL/TLS/DTLS servers should request or require client authentication, etc.

SSLParameters can be created via the constructors in this class. Objects can also be obtained using the getSSLParameters() methods in SSLSocket and SSLServerSocket and SSLEngine or the getDefaultSSLParameters() and getSupportedSSLParameters() methods in SSLContext.

SSLParameters can be applied to a connection via the methods SSLSocket.setSSLParameters() and SSLServerSocket.setSSLParameters() and SSLEngine.setSSLParameters().

For example:

    SSLParameters p = sslSocket.getSSLParameters();
    p.setProtocols(new String[] { "TLSv1.2" });
    p.setCipherSuites(
        new String[] { "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", ... });
    p.setApplicationProtocols(new String[] {"h2", "http/1.1"});
    sslSocket.setSSLParameters(p);
See Also:
Since:1.6
/** * Encapsulates parameters for an SSL/TLS/DTLS connection. The parameters * are the list of ciphersuites to be accepted in an SSL/TLS/DTLS handshake, * the list of protocols to be allowed, the endpoint identification * algorithm during SSL/TLS/DTLS handshaking, the Server Name Indication (SNI), * the maximum network packet size, the algorithm constraints and whether * SSL/TLS/DTLS servers should request or require client authentication, etc. * <p> * SSLParameters can be created via the constructors in this class. * Objects can also be obtained using the {@code getSSLParameters()} * methods in * {@link SSLSocket#getSSLParameters SSLSocket} and * {@link SSLServerSocket#getSSLParameters SSLServerSocket} and * {@link SSLEngine#getSSLParameters SSLEngine} or the * {@link SSLContext#getDefaultSSLParameters getDefaultSSLParameters()} and * {@link SSLContext#getSupportedSSLParameters getSupportedSSLParameters()} * methods in {@code SSLContext}. * <p> * SSLParameters can be applied to a connection via the methods * {@link SSLSocket#setSSLParameters SSLSocket.setSSLParameters()} and * {@link SSLServerSocket#setSSLParameters SSLServerSocket.setSSLParameters()} * and {@link SSLEngine#setSSLParameters SSLEngine.setSSLParameters()}. * <p> * For example: * * <blockquote><pre> * SSLParameters p = sslSocket.getSSLParameters(); * p.setProtocols(new String[] { "TLSv1.2" }); * p.setCipherSuites( * new String[] { "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", ... }); * p.setApplicationProtocols(new String[] {"h2", "http/1.1"}); * sslSocket.setSSLParameters(p); * </pre></blockquote> * * @see SSLSocket * @see SSLEngine * @see SSLContext * * @since 1.6 */
public class SSLParameters { private String[] cipherSuites; private String[] protocols; private boolean wantClientAuth; private boolean needClientAuth; private String identificationAlgorithm; private AlgorithmConstraints algorithmConstraints; private Map<Integer, SNIServerName> sniNames = null; private Map<Integer, SNIMatcher> sniMatchers = null; private boolean preferLocalCipherSuites; private boolean enableRetransmissions = true; private int maximumPacketSize = 0; private String[] applicationProtocols = new String[0];
Constructs SSLParameters.

The values of cipherSuites, protocols, cryptographic algorithm constraints, endpoint identification algorithm, server names and server name matchers are set to null; useCipherSuitesOrder, wantClientAuth and needClientAuth are set to false; enableRetransmissions is set to true; maximum network packet size is set to 0.

/** * Constructs SSLParameters. * <p> * The values of cipherSuites, protocols, cryptographic algorithm * constraints, endpoint identification algorithm, server names and * server name matchers are set to {@code null}; useCipherSuitesOrder, * wantClientAuth and needClientAuth are set to {@code false}; * enableRetransmissions is set to {@code true}; maximum network packet * size is set to {@code 0}. */
public SSLParameters() { // empty }
Constructs SSLParameters from the specified array of ciphersuites.

Calling this constructor is equivalent to calling the no-args constructor followed by setCipherSuites(cipherSuites);. Note that the standard list of cipher suite names may be found in the JSSE Cipher Suite Names section of the Java Cryptography Architecture Standard Algorithm Name Documentation. Providers may support cipher suite names not found in this list.

Params:
  • cipherSuites – the array of ciphersuites (or null)
/** * Constructs SSLParameters from the specified array of ciphersuites. * <p> * Calling this constructor is equivalent to calling the no-args * constructor followed by * {@code setCipherSuites(cipherSuites);}. Note that the * standard list of cipher suite names may be found in the <a href= * "{@docRoot}/../specs/security/standard-names.html#jsse-cipher-suite-names"> * JSSE Cipher Suite Names</a> section of the Java Cryptography * Architecture Standard Algorithm Name Documentation. Providers * may support cipher suite names not found in this list. * * @param cipherSuites the array of ciphersuites (or null) */
public SSLParameters(String[] cipherSuites) { setCipherSuites(cipherSuites); }
Constructs SSLParameters from the specified array of ciphersuites and protocols.

Calling this constructor is equivalent to calling the no-args constructor followed by setCipherSuites(cipherSuites); setProtocols(protocols);. Note that the standard list of cipher suite names may be found in the JSSE Cipher Suite Names section of the Java Cryptography Architecture Standard Algorithm Name Documentation. Providers may support cipher suite names not found in this list.

Params:
  • cipherSuites – the array of ciphersuites (or null)
  • protocols – the array of protocols (or null)
/** * Constructs SSLParameters from the specified array of ciphersuites * and protocols. * <p> * Calling this constructor is equivalent to calling the no-args * constructor followed by * {@code setCipherSuites(cipherSuites); setProtocols(protocols);}. * Note that the standard list of cipher suite names may be found in the * <a href= * "{@docRoot}/../specs/security/standard-names.html#jsse-cipher-suite-names"> * JSSE Cipher Suite Names</a> section of the Java Cryptography * Architecture Standard Algorithm Name Documentation. Providers * may support cipher suite names not found in this list. * * @param cipherSuites the array of ciphersuites (or null) * @param protocols the array of protocols (or null) */
public SSLParameters(String[] cipherSuites, String[] protocols) { setCipherSuites(cipherSuites); setProtocols(protocols); } private static String[] clone(String[] s) { return (s == null) ? null : s.clone(); }
Returns a copy of the array of ciphersuites or null if none have been set.

The returned array includes cipher suites from the list of standard cipher suite names in the JSSE Cipher Suite Names section of the Java Cryptography Architecture Standard Algorithm Name Documentation, and may also include other cipher suites that the provider supports.

Returns:a copy of the array of ciphersuites or null if none have been set.
/** * Returns a copy of the array of ciphersuites or null if none * have been set. * <P> * The returned array includes cipher suites from the list of standard * cipher suite names in the <a href= * "{@docRoot}/../specs/security/standard-names.html#jsse-cipher-suite-names"> * JSSE Cipher Suite Names</a> section of the Java Cryptography * Architecture Standard Algorithm Name Documentation, and may also * include other cipher suites that the provider supports. * * @return a copy of the array of ciphersuites or null if none * have been set. */
public String[] getCipherSuites() { return clone(cipherSuites); }
Sets the array of ciphersuites.
Params:
  • cipherSuites – the array of ciphersuites (or null). Note that the standard list of cipher suite names may be found in the JSSE Cipher Suite Names section of the Java Cryptography Architecture Standard Algorithm Name Documentation. Providers may support cipher suite names not found in this list or might not use the recommended name for a certain cipher suite.
/** * Sets the array of ciphersuites. * * @param cipherSuites the array of ciphersuites (or null). Note that the * standard list of cipher suite names may be found in the <a href= * "{@docRoot}/../specs/security/standard-names.html#jsse-cipher-suite-names"> * JSSE Cipher Suite Names</a> section of the Java Cryptography * Architecture Standard Algorithm Name Documentation. Providers * may support cipher suite names not found in this list or might not * use the recommended name for a certain cipher suite. */
public void setCipherSuites(String[] cipherSuites) { this.cipherSuites = clone(cipherSuites); }
Returns a copy of the array of protocols or null if none have been set.
Returns:a copy of the array of protocols or null if none have been set.
/** * Returns a copy of the array of protocols or null if none * have been set. * * @return a copy of the array of protocols or null if none * have been set. */
public String[] getProtocols() { return clone(protocols); }
Sets the array of protocols.
Params:
  • protocols – the array of protocols (or null)
/** * Sets the array of protocols. * * @param protocols the array of protocols (or null) */
public void setProtocols(String[] protocols) { this.protocols = clone(protocols); }
Returns whether client authentication should be requested.
Returns:whether client authentication should be requested.
/** * Returns whether client authentication should be requested. * * @return whether client authentication should be requested. */
public boolean getWantClientAuth() { return wantClientAuth; }
Sets whether client authentication should be requested. Calling this method clears the needClientAuth flag.
Params:
  • wantClientAuth – whether client authentication should be requested
/** * Sets whether client authentication should be requested. Calling * this method clears the {@code needClientAuth} flag. * * @param wantClientAuth whether client authentication should be requested */
public void setWantClientAuth(boolean wantClientAuth) { this.wantClientAuth = wantClientAuth; this.needClientAuth = false; }
Returns whether client authentication should be required.
Returns:whether client authentication should be required.
/** * Returns whether client authentication should be required. * * @return whether client authentication should be required. */
public boolean getNeedClientAuth() { return needClientAuth; }
Sets whether client authentication should be required. Calling this method clears the wantClientAuth flag.
Params:
  • needClientAuth – whether client authentication should be required
/** * Sets whether client authentication should be required. Calling * this method clears the {@code wantClientAuth} flag. * * @param needClientAuth whether client authentication should be required */
public void setNeedClientAuth(boolean needClientAuth) { this.wantClientAuth = false; this.needClientAuth = needClientAuth; }
Returns the cryptographic algorithm constraints.
See Also:
Returns:the cryptographic algorithm constraints, or null if the constraints have not been set
Since:1.7
/** * Returns the cryptographic algorithm constraints. * * @return the cryptographic algorithm constraints, or null if the * constraints have not been set * * @see #setAlgorithmConstraints(AlgorithmConstraints) * * @since 1.7 */
public AlgorithmConstraints getAlgorithmConstraints() { return algorithmConstraints; }
Sets the cryptographic algorithm constraints, which will be used in addition to any configured by the runtime environment.

If the constraints parameter is non-null, every cryptographic algorithm, key and algorithm parameters used in the SSL/TLS/DTLS handshake must be permitted by the constraints.

Params:
  • constraints – the algorithm constraints (or null)
Since:1.7
/** * Sets the cryptographic algorithm constraints, which will be used * in addition to any configured by the runtime environment. * <p> * If the {@code constraints} parameter is non-null, every * cryptographic algorithm, key and algorithm parameters used in the * SSL/TLS/DTLS handshake must be permitted by the constraints. * * @param constraints the algorithm constraints (or null) * * @since 1.7 */
public void setAlgorithmConstraints(AlgorithmConstraints constraints) { // the constraints object is immutable this.algorithmConstraints = constraints; }
Gets the endpoint identification algorithm.
See Also:
Returns:the endpoint identification algorithm, or null if none has been set.
Since:1.7
/** * Gets the endpoint identification algorithm. * * @return the endpoint identification algorithm, or null if none * has been set. * * @see X509ExtendedTrustManager * @see #setEndpointIdentificationAlgorithm(String) * * @since 1.7 */
public String getEndpointIdentificationAlgorithm() { return identificationAlgorithm; }
Sets the endpoint identification algorithm.

If the algorithm parameter is non-null or non-empty, the endpoint identification/verification procedures must be handled during SSL/TLS/DTLS handshaking. This is to prevent man-in-the-middle attacks.

Params:
See Also:
Since:1.7
/** * Sets the endpoint identification algorithm. * <p> * If the {@code algorithm} parameter is non-null or non-empty, the * endpoint identification/verification procedures must be handled during * SSL/TLS/DTLS handshaking. This is to prevent man-in-the-middle attacks. * * @param algorithm The standard string name of the endpoint * identification algorithm (or null). * See the <a href= * "{@docRoot}/../specs/security/standard-names.html"> * Java Security Standard Algorithm Names</a> document * for information about standard algorithm names. * * @see X509ExtendedTrustManager * * @since 1.7 */
public void setEndpointIdentificationAlgorithm(String algorithm) { this.identificationAlgorithm = algorithm; }
Sets the desired SNIServerNames of the Server Name Indication (SNI) parameter.

This method is only useful to SSLSockets or SSLEngines operating in client mode.

Note that the serverNames list is cloned to protect against subsequent modification.

Params:
Throws:
See Also:
Since:1.8
/** * Sets the desired {@link SNIServerName}s of the Server Name * Indication (SNI) parameter. * <P> * This method is only useful to {@link SSLSocket}s or {@link SSLEngine}s * operating in client mode. * <P> * Note that the {@code serverNames} list is cloned * to protect against subsequent modification. * * @param serverNames * the list of desired {@link SNIServerName}s (or null) * * @throws NullPointerException if the {@code serverNames} * contains {@code null} element * @throws IllegalArgumentException if the {@code serverNames} * contains more than one name of the same name type * * @see SNIServerName * @see #getServerNames() * * @since 1.8 */
public final void setServerNames(List<SNIServerName> serverNames) { if (serverNames != null) { if (!serverNames.isEmpty()) { sniNames = new LinkedHashMap<>(serverNames.size()); for (SNIServerName serverName : serverNames) { if (sniNames.put(serverName.getType(), serverName) != null) { throw new IllegalArgumentException( "Duplicated server name of type " + serverName.getType()); } } } else { sniNames = Collections.<Integer, SNIServerName>emptyMap(); } } else { sniNames = null; } }
Returns a List containing all SNIServerNames of the Server Name Indication (SNI) parameter, or null if none has been set.

This method is only useful to SSLSockets or SSLEngines operating in client mode.

For SSL/TLS/DTLS connections, the underlying SSL/TLS/DTLS provider may specify a default value for a certain server name type. In client mode, it is recommended that, by default, providers should include the server name indication whenever the server can be located by a supported server name type.

It is recommended that providers initialize default Server Name Indications when creating SSLSocket/SSLEngines. In the following examples, the server name could be represented by an instance of SNIHostName which has been initialized with the hostname "www.example.com" and type StandardConstants.SNI_HOST_NAME.

    Socket socket =
        sslSocketFactory.createSocket("www.example.com", 443);
or
    SSLEngine engine =
        sslContext.createSSLEngine("www.example.com", 443);
See Also:
Returns:null or an immutable list of non-null SNIServerNames
Since:1.8
/** * Returns a {@link List} containing all {@link SNIServerName}s of the * Server Name Indication (SNI) parameter, or null if none has been set. * <P> * This method is only useful to {@link SSLSocket}s or {@link SSLEngine}s * operating in client mode. * <P> * For SSL/TLS/DTLS connections, the underlying SSL/TLS/DTLS provider * may specify a default value for a certain server name type. In * client mode, it is recommended that, by default, providers should * include the server name indication whenever the server can be located * by a supported server name type. * <P> * It is recommended that providers initialize default Server Name * Indications when creating {@code SSLSocket}/{@code SSLEngine}s. * In the following examples, the server name could be represented by an * instance of {@link SNIHostName} which has been initialized with the * hostname "www.example.com" and type * {@link StandardConstants#SNI_HOST_NAME}. * * <pre> * Socket socket = * sslSocketFactory.createSocket("www.example.com", 443); * </pre> * or * <pre> * SSLEngine engine = * sslContext.createSSLEngine("www.example.com", 443); * </pre> * * @return null or an immutable list of non-null {@link SNIServerName}s * * @see List * @see #setServerNames(List) * * @since 1.8 */
public final List<SNIServerName> getServerNames() { if (sniNames != null) { if (!sniNames.isEmpty()) { return Collections.<SNIServerName>unmodifiableList( new ArrayList<>(sniNames.values())); } else { return Collections.<SNIServerName>emptyList(); } } return null; }
Sets the SNIMatchers of the Server Name Indication (SNI) parameter.

This method is only useful to SSLSockets or SSLEngines operating in server mode.

Note that the matchers collection is cloned to protect against subsequent modification.

Params:
  • matchers – the collection of SNIMatchers (or null)
Throws:
See Also:
Since:1.8
/** * Sets the {@link SNIMatcher}s of the Server Name Indication (SNI) * parameter. * <P> * This method is only useful to {@link SSLSocket}s or {@link SSLEngine}s * operating in server mode. * <P> * Note that the {@code matchers} collection is cloned to protect * against subsequent modification. * * @param matchers * the collection of {@link SNIMatcher}s (or null) * * @throws NullPointerException if the {@code matchers} * contains {@code null} element * @throws IllegalArgumentException if the {@code matchers} * contains more than one name of the same name type * * @see Collection * @see SNIMatcher * @see #getSNIMatchers() * * @since 1.8 */
public final void setSNIMatchers(Collection<SNIMatcher> matchers) { if (matchers != null) { if (!matchers.isEmpty()) { sniMatchers = new HashMap<>(matchers.size()); for (SNIMatcher matcher : matchers) { if (sniMatchers.put(matcher.getType(), matcher) != null) { throw new IllegalArgumentException( "Duplicated server name of type " + matcher.getType()); } } } else { sniMatchers = Collections.<Integer, SNIMatcher>emptyMap(); } } else { sniMatchers = null; } }
Returns a Collection containing all SNIMatchers of the Server Name Indication (SNI) parameter, or null if none has been set.

This method is only useful to SSLSockets or SSLEngines operating in server mode.

For better interoperability, providers generally will not define default matchers so that by default servers will ignore the SNI extension and continue the handshake.

See Also:
Returns:null or an immutable collection of non-null SNIMatchers
Since:1.8
/** * Returns a {@link Collection} containing all {@link SNIMatcher}s of the * Server Name Indication (SNI) parameter, or null if none has been set. * <P> * This method is only useful to {@link SSLSocket}s or {@link SSLEngine}s * operating in server mode. * <P> * For better interoperability, providers generally will not define * default matchers so that by default servers will ignore the SNI * extension and continue the handshake. * * @return null or an immutable collection of non-null {@link SNIMatcher}s * * @see SNIMatcher * @see #setSNIMatchers(Collection) * * @since 1.8 */
public final Collection<SNIMatcher> getSNIMatchers() { if (sniMatchers != null) { if (!sniMatchers.isEmpty()) { return Collections.<SNIMatcher>unmodifiableList( new ArrayList<>(sniMatchers.values())); } else { return Collections.<SNIMatcher>emptyList(); } } return null; }
Sets whether the local cipher suites preference should be honored.
Params:
  • honorOrder – whether local cipher suites order in #getCipherSuites should be honored during SSL/TLS/DTLS handshaking.
See Also:
Since:1.8
/** * Sets whether the local cipher suites preference should be honored. * * @param honorOrder whether local cipher suites order in * {@code #getCipherSuites} should be honored during * SSL/TLS/DTLS handshaking. * * @see #getUseCipherSuitesOrder() * * @since 1.8 */
public final void setUseCipherSuitesOrder(boolean honorOrder) { this.preferLocalCipherSuites = honorOrder; }
Returns whether the local cipher suites preference should be honored.
See Also:
Returns:whether local cipher suites order in #getCipherSuites should be honored during SSL/TLS/DTLS handshaking.
Since:1.8
/** * Returns whether the local cipher suites preference should be honored. * * @return whether local cipher suites order in {@code #getCipherSuites} * should be honored during SSL/TLS/DTLS handshaking. * * @see #setUseCipherSuitesOrder(boolean) * * @since 1.8 */
public final boolean getUseCipherSuitesOrder() { return preferLocalCipherSuites; }
Sets whether DTLS handshake retransmissions should be enabled. This method only applies to DTLS.
Params:
  • enableRetransmissions – true indicates that DTLS handshake retransmissions should be enabled; false indicates that DTLS handshake retransmissions should be disabled
See Also:
Since:9
/** * Sets whether DTLS handshake retransmissions should be enabled. * * This method only applies to DTLS. * * @param enableRetransmissions * {@code true} indicates that DTLS handshake retransmissions * should be enabled; {@code false} indicates that DTLS handshake * retransmissions should be disabled * * @see #getEnableRetransmissions() * * @since 9 */
public void setEnableRetransmissions(boolean enableRetransmissions) { this.enableRetransmissions = enableRetransmissions; }
Returns whether DTLS handshake retransmissions should be enabled. This method only applies to DTLS.
See Also:
Returns: true, if DTLS handshake retransmissions should be enabled
Since:9
/** * Returns whether DTLS handshake retransmissions should be enabled. * * This method only applies to DTLS. * * @return true, if DTLS handshake retransmissions should be enabled * * @see #setEnableRetransmissions(boolean) * * @since 9 */
public boolean getEnableRetransmissions() { return enableRetransmissions; }
Sets the maximum expected network packet size in bytes for SSL/TLS/DTLS records.
Params:
  • maximumPacketSize – the maximum expected network packet size in bytes, or 0 to use the implicit size that is automatically specified by the underlying implementation.
Throws:
See Also:
API Note: It is recommended that if possible, the maximum packet size should not be less than 256 bytes so that small handshake messages, such as HelloVerifyRequests, are not fragmented.
Implementation Note:If the maximum packet size is too small to hold a minimal record, an implementation may attempt to generate as minimal records as possible. However, this may cause a generated packet to be larger than the maximum packet size.
Since:9
/** * Sets the maximum expected network packet size in bytes for * SSL/TLS/DTLS records. * * @apiNote It is recommended that if possible, the maximum packet size * should not be less than 256 bytes so that small handshake * messages, such as HelloVerifyRequests, are not fragmented. * * @implNote If the maximum packet size is too small to hold a minimal * record, an implementation may attempt to generate as minimal * records as possible. However, this may cause a generated * packet to be larger than the maximum packet size. * * @param maximumPacketSize * the maximum expected network packet size in bytes, or * {@code 0} to use the implicit size that is automatically * specified by the underlying implementation. * @throws IllegalArgumentException * if {@code maximumPacketSize} is negative. * * @see #getMaximumPacketSize() * * @since 9 */
public void setMaximumPacketSize(int maximumPacketSize) { if (maximumPacketSize < 0) { throw new IllegalArgumentException( "The maximum packet size cannot be negative"); } this.maximumPacketSize = maximumPacketSize; }
Returns the maximum expected network packet size in bytes for SSL/TLS/DTLS records.
See Also:
API Note: The implicit size may not be a fixed value, especially for a DTLS protocols implementation.
Implementation Note:For SSL/TLS/DTLS connections, the underlying provider should calculate and specify the implicit value of the maximum expected network packet size if it is not configured explicitly. For any connection populated object, this method should never return 0 so that applications can retrieve the actual implicit size of the underlying implementation.

An implementation should attempt to comply with the maximum packet size configuration. However, if the maximum packet size is too small to hold a minimal record, an implementation may try to generate as minimal records as possible. This may cause a generated packet to be larger than the maximum packet size.

Returns: the maximum expected network packet size, or 0 if use the implicit size that is automatically specified by the underlying implementation and this object has not been populated by any connection.
Since:9
/** * Returns the maximum expected network packet size in bytes for * SSL/TLS/DTLS records. * * @apiNote The implicit size may not be a fixed value, especially * for a DTLS protocols implementation. * * @implNote For SSL/TLS/DTLS connections, the underlying provider * should calculate and specify the implicit value of the * maximum expected network packet size if it is not * configured explicitly. For any connection populated * object, this method should never return {@code 0} so * that applications can retrieve the actual implicit size * of the underlying implementation. * <P> * An implementation should attempt to comply with the maximum * packet size configuration. However, if the maximum packet * size is too small to hold a minimal record, an implementation * may try to generate as minimal records as possible. This * may cause a generated packet to be larger than the maximum * packet size. * * @return the maximum expected network packet size, or {@code 0} if * use the implicit size that is automatically specified by * the underlying implementation and this object has not been * populated by any connection. * * @see #setMaximumPacketSize(int) * * @since 9 */
public int getMaximumPacketSize() { return maximumPacketSize; }
Returns a prioritized array of application-layer protocol names that can be negotiated over the SSL/TLS/DTLS protocols.

The array could be empty (zero-length), in which case protocol indications will not be used.

This method will return a new array each time it is invoked.

See Also:
Returns:a non-null, possibly zero-length array of application protocol Strings. The array is ordered based on protocol preference, with protocols[0] being the most preferred.
Since:9
/** * Returns a prioritized array of application-layer protocol names that * can be negotiated over the SSL/TLS/DTLS protocols. * <p> * The array could be empty (zero-length), in which case protocol * indications will not be used. * <p> * This method will return a new array each time it is invoked. * * @return a non-null, possibly zero-length array of application protocol * {@code String}s. The array is ordered based on protocol * preference, with {@code protocols[0]} being the most preferred. * @see #setApplicationProtocols * @since 9 */
public String[] getApplicationProtocols() { return applicationProtocols.clone(); }
Sets the prioritized array of application-layer protocol names that can be negotiated over the SSL/TLS/DTLS protocols.

If application-layer protocols are supported by the underlying SSL/TLS implementation, this method configures which values can be negotiated by protocols such as RFC 7301 , the Application Layer Protocol Negotiation (ALPN).

If this end of the connection is expected to offer application protocol values, all protocols configured by this method will be sent to the peer.

If this end of the connection is expected to select the application protocol value, the protocols configured by this method are compared with those sent by the peer. The first matched value becomes the negotiated value. If none of the protocols were actually requested by the peer, the underlying protocol will determine what action to take. (For example, ALPN will send a "no_application_protocol" alert and terminate the connection.)

Params:
  • protocols – an ordered array of application protocols, with protocols[0] being the most preferred. If the array is empty (zero-length), protocol indications will not be used.
Throws:
  • IllegalArgumentException – if protocols is null, or if any element in a non-empty array is null or an empty (zero-length) string
See Also:
Implementation Requirements: This method will make a copy of the protocols array.
Since:9
/** * Sets the prioritized array of application-layer protocol names that * can be negotiated over the SSL/TLS/DTLS protocols. * <p> * If application-layer protocols are supported by the underlying * SSL/TLS implementation, this method configures which values can * be negotiated by protocols such as <a * href="http://www.ietf.org/rfc/rfc7301.txt"> RFC 7301 </a>, the * Application Layer Protocol Negotiation (ALPN). * <p> * If this end of the connection is expected to offer application protocol * values, all protocols configured by this method will be sent to the * peer. * <p> * If this end of the connection is expected to select the application * protocol value, the {@code protocols} configured by this method are * compared with those sent by the peer. The first matched value becomes * the negotiated value. If none of the {@code protocols} were actually * requested by the peer, the underlying protocol will determine what * action to take. (For example, ALPN will send a * {@code "no_application_protocol"} alert and terminate the connection.) * <p> * @implSpec * This method will make a copy of the {@code protocols} array. * * @param protocols an ordered array of application protocols, * with {@code protocols[0]} being the most preferred. * If the array is empty (zero-length), protocol * indications will not be used. * @throws IllegalArgumentException if protocols is null, or if * any element in a non-empty array is null or an * empty (zero-length) string * @see #getApplicationProtocols * @since 9 */
public void setApplicationProtocols(String[] protocols) { if (protocols == null) { throw new IllegalArgumentException("protocols was null"); } String[] tempProtocols = protocols.clone(); for (String p : tempProtocols) { if (p == null || p.equals("")) { throw new IllegalArgumentException( "An element of protocols was null/empty"); } } applicationProtocols = tempProtocols; } }