Package org.conscrypt

Class SSLParametersImpl

  • All Implemented Interfaces:
    Cloneable
    public class SSLParametersImpl
extends Object
implements Cloneable
    The instances of this class encapsulate all the info about enabled cipher suites and protocols, as well as the information about client/server mode of ssl socket, whether it require/want client authentication or not, and controls whether new SSL sessions may be established by this socket or not.

    • Method Detail

      • getSessionContext

        public org.conscrypt.AbstractSessionContext getSessionContext()
        Returns the appropriate session context.

      • getServerSessionContext

        protected ServerSessionContext getServerSessionContext()
        Returns:
        server session context

      • getClientSessionContext

        protected ClientSessionContext getClientSessionContext()
        Returns:
        client session context

      • getX509KeyManager

        protected X509KeyManager getX509KeyManager()
        Returns:
        X.509 key manager or null for none.

      • getPSKKeyManager

        protected PSKKeyManager getPSKKeyManager()
        Returns:
        Pre-Shared Key (PSK) key manager or null for none.

      • getX509TrustManager

        protected X509TrustManager getX509TrustManager()
        Returns:
        X.509 trust manager or null for none.

      • getSecureRandom

        protected SecureRandom getSecureRandom()
        Returns:
        secure random

      • getSecureRandomMember

        protected SecureRandom getSecureRandomMember()
        Returns:
        the secure random member reference, even it is null

      • getCTVerifier

        protected CTVerifier getCTVerifier()
        Returns:
        certificate transparency verifier

      • getEnabledCipherSuites

        protected String[] getEnabledCipherSuites()
        Returns:
        the names of enabled cipher suites

      • setEnabledCipherSuites

        protected void setEnabledCipherSuites​(String[] cipherSuites)
        Sets the enabled cipher suites after filtering through OpenSSL.

      • getEnabledProtocols

        protected String[] getEnabledProtocols()
        Returns:
        the set of enabled protocols

      • setEnabledProtocols

        protected void setEnabledProtocols​(String[] protocols)
        Sets the set of available protocols for use in SSL connection.
        Parameters:
        protocols - String[]

      • setUseClientMode

        protected void setUseClientMode​(boolean mode)
        Tunes the peer holding this parameters to work in client mode.
        Parameters:
        mode - if the peer is configured to work in client mode

      • getUseClientMode

        protected boolean getUseClientMode()
        Returns the value indicating if the parameters configured to work in client mode.

      • setNeedClientAuth

        protected void setNeedClientAuth​(boolean need)
        Tunes the peer holding this parameters to require client authentication

      • getNeedClientAuth

        protected boolean getNeedClientAuth()
        Returns the value indicating if the peer with this parameters tuned to require client authentication

      • setWantClientAuth

        protected void setWantClientAuth​(boolean want)
        Tunes the peer holding this parameters to request client authentication

      • getWantClientAuth

        protected boolean getWantClientAuth()
        Returns the value indicating if the peer with this parameters tuned to request client authentication

      • setEnableSessionCreation

        protected void setEnableSessionCreation​(boolean flag)
        Allows/disallows the peer holding this parameters to create new SSL session

      • getEnableSessionCreation

        protected boolean getEnableSessionCreation()
        Returns the value indicating if the peer with this parameters allowed to cteate new SSL session

      • setUseSni

        protected void setUseSni​(boolean flag)
        Whether connections using this SSL connection should use the TLS extension Server Name Indication (SNI).

      • getUseSni

        protected boolean getUseSni()
        Returns whether connections using this SSL connection should use the TLS extension Server Name Indication (SNI).

      • setCTVerifier

        public void setCTVerifier​(CTVerifier verifier)

      • setCTVerificationEnabled

        public void setCTVerificationEnabled​(boolean enabled)

      • setSCTExtension

        public void setSCTExtension​(byte[] extension)

      • setOCSPResponse

        public void setOCSPResponse​(byte[] response)

      • clone

        protected Object clone()
        Returns the clone of this object.
        Overrides:
        clone in class Object
        Returns:
        the clone.

      • getEndpointIdentificationAlgorithm

        public String getEndpointIdentificationAlgorithm()

      • setEndpointIdentificationAlgorithm

        public void setEndpointIdentificationAlgorithm​(String endpointIdentificationAlgorithm)

      • getClientKeyType

        public static String getClientKeyType​(byte clientCertificateType)
        Similar to getServerKeyType, but returns value given TLS ClientCertificateType byte values from a CertificateRequest message for use with X509KeyManager.chooseClientAlias or X509ExtendedKeyManager.chooseEngineClientAlias.

        Visible for testing.

      • getSupportedClientKeyTypes

        public static Set<String> getSupportedClientKeyTypes​(byte[] clientCertificateTypes)
        Gets the supported key types for client certificates based on the ClientCertificateType values provided by the server.
        Parameters:
        clientCertificateTypes - ClientCertificateType values provided by the server. See https://www.ietf.org/assignments/tls-parameters/tls-parameters.xml.
        Returns:
        supported key types that can be used in X509KeyManager.chooseClientAlias and X509ExtendedKeyManager.chooseEngineClientAlias. Visible for testing.

      • isCTVerificationEnabled

        public boolean isCTVerificationEnabled​(String hostname)
        Check if SCT verification is enforced for a given hostname. SCT Verification is enabled using Security properties. The "conscrypt.ct.enable" property must be true, as well as a per domain property. The reverse notation of the domain name, prefixed with "conscrypt.ct.enforce." is used as the property name. Basic globbing is also supported. For example, for the domain foo.bar.com, the following properties will be looked up, in order of precedence. - conscrypt.ct.enforce.com.bar.foo - conscrypt.ct.enforce.com.bar.* - conscrypt.ct.enforce.com.* - conscrypt.ct.enforce.*