Summary: Protected Ctors | Methods | Inherited Methods | [Expand All]

public abstract class

SSLSocket

extends Socket

java.lang.Object
↳	java.net.Socket
	↳	javax.net.ssl.SSLSocket

Known Direct Subclasses

SSLSocketImpl

Class Overview

This class extends Sockets and provides secure socket using protocols such as the "Secure Sockets Layer" (SSL) or IETF "Transport Layer Security" (TLS) protocols.

Such sockets are normal stream sockets, but they add a layer of security protections over the underlying network transport protocol, such as TCP. Those protections include:

Integrity Protection. SSL protects against modification of messages by an active wiretapper.
Authentication. In most modes, SSL provides peer authentication. Servers are usually authenticated, and clients may be authenticated as requested by servers.
Confidentiality (Privacy Protection). In most modes, SSL encrypts data being sent between client and server. This protects the confidentiality of data, so that passive wiretappers won't see sensitive data such as financial information or personal information of many kinds.

These kinds of protection are specified by a "cipher suite", which is a combination of cryptographic algorithms used by a given SSL connection. During the negotiation process, the two endpoints must agree on a ciphersuite that is available in both environments. If there is no such suite in common, no SSL connection can be established, and no data can be exchanged.

The cipher suite used is established by a negotiation process called "handshaking". The goal of this process is to create or rejoin a "session", which may protect many connections over time. After handshaking has completed, you can access session attributes by using the getSession method. The initial handshake on this connection can be initiated in one of three ways:

calling startHandshake which explicitly begins handshakes, or
any attempt to read or write application data on this socket causes an implicit handshake, or
a call to getSession tries to set up a session if there is no currently valid session, and an implicit handshake is done.

If handshaking fails for any reason, the SSLSocket is closed, and no futher communications can be done.

There are two groups of cipher suites which you will need to know about when managing cipher suites:

Supported cipher suites: all the suites which are supported by the SSL implementation. This list is reported using getSupportedCipherSuites.
Enabled cipher suites, which may be fewer than the full set of supported suites. This group is set using the setEnabledCipherSuites method, and queried using the getEnabledCipherSuites method. Initially, a default set of cipher suites will be enabled on a new socket that represents the minimum suggested configuration.

Implementation defaults require that only cipher suites which authenticate servers and provide confidentiality be enabled by default. Only if both sides explicitly agree to unauthenticated and/or non-private (unencrypted) communications will such a ciphersuite be selected.

When SSLSockets are first created, no handshaking is done so that applications may first set their communication preferences: what cipher suites to use, whether the socket should be in client or server mode, etc. However, security is always provided by the time that application data is sent over the connection.

You may register to receive event notification of handshake completion. This involves the use of two additional classes. HandshakeCompletedEvent objects are passed to HandshakeCompletedListener instances, which are registered by users of this API. SSLSockets are created by SSLSocketFactorys, or by accepting a connection from a SSLServerSocket.

A SSL socket must choose to operate in the client or server mode. This will determine who begins the handshaking process, as well as which messages should be sent by each party. Each connection must have one client and one server, or handshaking will not progress properly. Once the initial handshaking has started, a socket can not switch between client and server modes, even when performing renegotiations.

Summary

Protected Constructors
	SSLSocket() Used only by subclasses.
	SSLSocket(String host, int port) Used only by subclasses.
	SSLSocket(InetAddress address, int port) Used only by subclasses.
	SSLSocket(String host, int port, InetAddress clientAddress, int clientPort) Used only by subclasses.
	SSLSocket(InetAddress address, int port, InetAddress clientAddress, int clientPort) Used only by subclasses.

Public Methods
abstract void	addHandshakeCompletedListener(HandshakeCompletedListener listener) Registers an event listener to receive notifications that an SSL handshake has completed on this connection.
abstract boolean	getEnableSessionCreation() Returns true if new SSL sessions may be established by this socket.
abstract String[]	getEnabledCipherSuites() Returns the names of the SSL cipher suites which are currently enabled for use on this connection.
abstract String[]	getEnabledProtocols() Returns the names of the protocol versions which are currently enabled for use on this connection.
abstract boolean	getNeedClientAuth() Returns true if the socket will require client authentication.
SSLParameters	getSSLParameters() Returns the SSLParameters in effect for this SSLSocket.
abstract SSLSession	getSession() Returns the SSL Session in use by this connection.
abstract String[]	getSupportedCipherSuites() Returns the names of the cipher suites which could be enabled for use on this connection.
abstract String[]	getSupportedProtocols() Returns the names of the protocols which could be enabled for use on an SSL connection.
abstract boolean	getUseClientMode() Returns true if the socket is set to use client mode when handshaking.
abstract boolean	getWantClientAuth() Returns true if the socket will request client authentication.
abstract void	removeHandshakeCompletedListener(HandshakeCompletedListener listener) Removes a previously registered handshake completion listener.
abstract void	setEnableSessionCreation(boolean flag) Controls whether new SSL sessions may be established by this socket.
abstract void	setEnabledCipherSuites(String[] suites) Sets the cipher suites enabled for use on this connection.
abstract void	setEnabledProtocols(String[] protocols) Sets the protocol versions enabled for use on this connection.
abstract void	setNeedClientAuth(boolean need) Configures the socket to require client authentication.
void	setSSLParameters(SSLParameters params) Applies SSLParameters to this socket.
abstract void	setUseClientMode(boolean mode) Configures the socket to use client (or server) mode when handshaking.
abstract void	setWantClientAuth(boolean want) Configures the socket to request client authentication.
abstract void	startHandshake() Starts an SSL handshake on this connection.

[Expand]

Inherited Methods

From class java.net.Socket

void	bind(SocketAddress bindpoint) Binds the socket to a local address.
synchronized void	close() Closes this socket.
void	connect(SocketAddress endpoint, int timeout) Connects this socket to the server with a specified timeout value.
void	connect(SocketAddress endpoint) Connects this socket to the server.
SocketChannel	getChannel() Returns the unique `SocketChannel` object associated with this socket, if any.
InetAddress	getInetAddress() Returns the address to which the socket is connected.
InputStream	getInputStream() Returns an input stream for this socket.
boolean	getKeepAlive() Tests if SO_KEEPALIVE is enabled.
InetAddress	getLocalAddress() Gets the local address to which the socket is bound.
int	getLocalPort() Returns the local port number to which this socket is bound.
SocketAddress	getLocalSocketAddress() Returns the address of the endpoint this socket is bound to, or `null` if it is not bound yet.
boolean	getOOBInline() Tests if OOBINLINE is enabled.
OutputStream	getOutputStream() Returns an output stream for this socket.
int	getPort() Returns the remote port number to which this socket is connected.
synchronized int	getReceiveBufferSize() Gets the value of the SO_RCVBUF option for this `Socket`, that is the buffer size used by the platform for input on this `Socket`.
SocketAddress	getRemoteSocketAddress() Returns the address of the endpoint this socket is connected to, or `null` if it is unconnected.
boolean	getReuseAddress() Tests if SO_REUSEADDR is enabled.
synchronized int	getSendBufferSize() Get value of the SO_SNDBUF option for this `Socket`, that is the buffer size used by the platform for output on this `Socket`.
int	getSoLinger() Returns setting for SO_LINGER.
synchronized int	getSoTimeout() Returns setting for SO_TIMEOUT.
boolean	getTcpNoDelay() Tests if TCP_NODELAY is enabled.
int	getTrafficClass() Gets traffic class or type-of-service in the IP header for packets sent from this Socket As the underlying network implementation may ignore the traffic class or type-of-service set using `setTrafficClass(int)` this method may return a different value than was previously set using the `setTrafficClass(int)` method on this Socket.
boolean	isBound() Returns the binding state of the socket.
boolean	isClosed() Returns the closed state of the socket.
boolean	isConnected() Returns the connection state of the socket.
boolean	isInputShutdown() Returns whether the read-half of the socket connection is closed.
boolean	isOutputShutdown() Returns whether the write-half of the socket connection is closed.
void	sendUrgentData(int data) Send one byte of urgent data on the socket.
void	setKeepAlive(boolean on) Enable/disable SO_KEEPALIVE.
void	setOOBInline(boolean on) Enable/disable OOBINLINE (receipt of TCP urgent data) By default, this option is disabled and TCP urgent data received on a socket is silently discarded.
void	setPerformancePreferences(int connectionTime, int latency, int bandwidth) Sets performance preferences for this socket.
synchronized void	setReceiveBufferSize(int size) Sets the SO_RCVBUF option to the specified value for this `Socket`.
void	setReuseAddress(boolean on) Enable/disable the SO_REUSEADDR socket option.
synchronized void	setSendBufferSize(int size) Sets the SO_SNDBUF option to the specified value for this `Socket`.
void	setSoLinger(boolean on, int linger) Enable/disable SO_LINGER with the specified linger time in seconds.
synchronized void	setSoTimeout(int timeout) Enable/disable SO_TIMEOUT with the specified timeout, in milliseconds.
synchronized static void	setSocketImplFactory(SocketImplFactory fac) Sets the client socket implementation factory for the application.
void	setTcpNoDelay(boolean on) Enable/disable TCP_NODELAY (disable/enable Nagle's algorithm).
void	setTrafficClass(int tc) Sets traffic class or type-of-service octet in the IP header for packets sent from this Socket.
void	shutdownInput() Places the input stream for this socket at "end of stream".
void	shutdownOutput() Disables the output stream for this socket.
String	toString() Converts this socket to a `String`.

From class java.lang.Object

Object	clone() Creates and returns a copy of this object.
boolean	equals(Object obj) Indicates whether some other object is "equal to" this one.
void	finalize() Called by the garbage collector on an object when garbage collection determines that there are no more references to the object.
final Class<?>	getClass() Returns the runtime class of this `Object`.
int	hashCode() Returns a hash code value for the object.
final void	notify() Wakes up a single thread that is waiting on this object's monitor.
final void	notifyAll() Wakes up all threads that are waiting on this object's monitor.
String	toString() Returns a string representation of the object.
final void	wait() Causes the current thread to wait until another thread invokes the `notify()` method or the `notifyAll()` method for this object.
final void	wait(long timeout, int nanos) Causes the current thread to wait until another thread invokes the `notify()` method or the `notifyAll()` method for this object, or some other thread interrupts the current thread, or a certain amount of real time has elapsed.
final void	wait(long timeout) Causes the current thread to wait until either another thread invokes the `notify()` method or the `notifyAll()` method for this object, or a specified amount of time has elapsed.

Protected Constructors

protected SSLSocket ()

Used only by subclasses. Constructs an uninitialized, unconnected TCP socket.

protected SSLSocket (String host, int port)

Used only by subclasses. Constructs a TCP connection to a named host at a specified port. This acts as the SSL client.

Parameters

host	name of the host with which to connect
port	number of the server's port

Throws

IOException	if an I/O error occurs when creating the socket
UnknownHostException	if the host is not known

protected SSLSocket (InetAddress address, int port)

Used only by subclasses. Constructs a TCP connection to a server at a specified address and port. This acts as the SSL client.

Parameters

address	the server's host
port	its port

Throws

IOException	if an I/O error occurs when creating the socket

protected SSLSocket (String host, int port, InetAddress clientAddress, int clientPort)

Used only by subclasses. Constructs an SSL connection to a named host at a specified port, binding the client side of the connection a given address and port. This acts as the SSL client.

Parameters

host	name of the host with which to connect
port	number of the server's port
clientAddress	the client's host
clientPort	number of the client's port

Throws

IOException	if an I/O error occurs when creating the socket
UnknownHostException	if the host is not known

protected SSLSocket (InetAddress address, int port, InetAddress clientAddress, int clientPort)

Used only by subclasses. Constructs an SSL connection to a server at a specified address and TCP port, binding the client side of the connection a given address and port. This acts as the SSL client.

Parameters

address	the server's host
port	its port
clientAddress	the client's host
clientPort	number of the client's port

Throws

IOException	if an I/O error occurs when creating the socket

Public Methods

public abstract void addHandshakeCompletedListener (HandshakeCompletedListener listener)

Registers an event listener to receive notifications that an SSL handshake has completed on this connection.

Parameters

listener	the HandShake Completed event listener

Throws

IllegalArgumentException	if the argument is null.

public abstract boolean getEnableSessionCreation ()

Returns true if new SSL sessions may be established by this socket.

Returns

true indicates that sessions may be created; this is the default. false indicates that an existing session must be resumed

public abstract String[] getEnabledCipherSuites ()

Returns the names of the SSL cipher suites which are currently enabled for use on this connection. When an SSLSocket is first created, all enabled cipher suites support a minimum quality of service. Thus, in some environments this value might be empty.

Even if a suite has been enabled, it might never be used. (For example, the peer does not support it, the requisite certificates (and private keys) for the suite are not available, or an anonymous suite is enabled but authentication is required.

Returns

an array of cipher suite names

public abstract String[] getEnabledProtocols ()

Returns the names of the protocol versions which are currently enabled for use on this connection.

Returns

an array of protocols

public abstract boolean getNeedClientAuth ()

Returns true if the socket will require client authentication. This option is only useful to sockets in the server mode.

Returns

true if client authentication is required, or false if no client authentication is desired.

public SSLParameters getSSLParameters ()

Returns the SSLParameters in effect for this SSLSocket. The ciphersuites and protocols of the returned SSLParameters are always non-null.

Returns

the SSLParameters in effect for this SSLSocket.

public abstract SSLSession getSession ()

Returns the SSL Session in use by this connection. These can be long lived, and frequently correspond to an entire login session for some user. The session specifies a particular cipher suite which is being actively used by all connections in that session, as well as the identities of the session's client and server.

This method will initiate the initial handshake if necessary and then block until the handshake has been established.

If an error occurs during the initial handshake, this method returns an invalid session object which reports an invalid cipher suite of "SSL_NULL_WITH_NULL_NULL".

Returns

the SSLSession

public abstract String[] getSupportedCipherSuites ()

Returns the names of the cipher suites which could be enabled for use on this connection. Normally, only a subset of these will actually be enabled by default, since this list may include cipher suites which do not meet quality of service requirements for those defaults. Such cipher suites might be useful in specialized applications.

Returns

an array of cipher suite names

public abstract String[] getSupportedProtocols ()

Returns the names of the protocols which could be enabled for use on an SSL connection.

Returns

an array of protocols supported

public abstract boolean getUseClientMode ()

Returns true if the socket is set to use client mode when handshaking.

Returns

true if the socket should do handshaking in "client" mode

public abstract boolean getWantClientAuth ()

Returns true if the socket will request client authentication. This option is only useful for sockets in the server mode.

Returns

true if client authentication is requested, or false if no client authentication is desired.

public abstract void removeHandshakeCompletedListener (HandshakeCompletedListener listener)

Removes a previously registered handshake completion listener.

Parameters

listener	the HandShake Completed event listener

Throws

IllegalArgumentException	if the listener is not registered, or the argument is null.

public abstract void setEnableSessionCreation (boolean flag)

Controls whether new SSL sessions may be established by this socket. If session creations are not allowed, and there are no existing sessions to resume, there will be no successful handshaking.

Parameters

flag	true indicates that sessions may be created; this is the default. false indicates that an existing session must be resumed

public abstract void setEnabledCipherSuites (String[] suites)

Sets the cipher suites enabled for use on this connection.

Each cipher suite in the suites parameter must have been listed by getSupportedCipherSuites(), or the method will fail. Following a successful call to this method, only suites listed in the suites parameter are enabled for use.

See getEnabledCipherSuites() for more information on why a specific ciphersuite may never be used on a connection.

Parameters

suites	Names of all the cipher suites to enable

Throws

IllegalArgumentException	when one or more of the ciphers named by the parameter is not supported, or when the parameter is null.

public abstract void setEnabledProtocols (String[] protocols)

Sets the protocol versions enabled for use on this connection.

The protocols must have been listed by getSupportedProtocols() as being supported. Following a successful call to this method, only protocols listed in the protocols parameter are enabled for use.

Parameters

protocols	Names of all the protocols to enable.

Throws

IllegalArgumentException	when one or more of the protocols named by the parameter is not supported or when the protocols parameter is null.

public abstract void setNeedClientAuth (boolean need)

Configures the socket to require client authentication. This option is only useful for sockets in the server mode.

A socket's client authentication setting is one of the following:

client authentication required
client authentication requested
no client authentication desired

Unlike setWantClientAuth(boolean), if this option is set and the client chooses not to provide authentication information about itself, the negotiations will stop and the connection will be dropped.

Calling this method overrides any previous setting made by this method or setWantClientAuth(boolean).

Parameters

need	set to true if client authentication is required, or false if no client authentication is desired.

public void setSSLParameters (SSLParameters params)

Applies SSLParameters to this socket.

This means:

if params.getCipherSuites() is non-null, setEnabledCipherSuites() is called with that value
if params.getProtocols() is non-null, setEnabledProtocols() is called with that value
if params.getNeedClientAuth() or params.getWantClientAuth() return true, setNeedClientAuth(true) and setWantClientAuth(true) are called, respectively; otherwise setWantClientAuth(false) is called.

Parameters

params	the parameters

Throws

IllegalArgumentException	if the setEnabledCipherSuites() or the setEnabledProtocols() call fails

public abstract void setUseClientMode (boolean mode)

Configures the socket to use client (or server) mode when handshaking.

This method must be called before any handshaking occurs. Once handshaking has begun, the mode can not be reset for the life of this socket.

Servers normally authenticate themselves, and clients are not required to do so.

Parameters

mode	true if the socket should start its handshaking in "client" mode

Throws

IllegalArgumentException	if a mode change is attempted after the initial handshake has begun.

public abstract void setWantClientAuth (boolean want)

Configures the socket to request client authentication. This option is only useful for sockets in the server mode.

A socket's client authentication setting is one of the following:

client authentication required
client authentication requested
no client authentication desired

Unlike setNeedClientAuth(boolean), if this option is set and the client chooses not to provide authentication information about itself, the negotiations will continue.

Calling this method overrides any previous setting made by this method or setNeedClientAuth(boolean).

Parameters

want	set to true if client authentication is requested, or false if no client authentication is desired.

public abstract void startHandshake ()

Starts an SSL handshake on this connection. Common reasons include a need to use new encryption keys, to change cipher suites, or to initiate a new session. To force complete reauthentication, the current session could be invalidated before starting this handshake.

If data has already been sent on the connection, it continues to flow during this handshake. When the handshake completes, this will be signaled with an event. This method is synchronous for the initial handshake on a connection and returns when the negotiated handshake is complete. Some protocols may not support multiple handshakes on an existing socket and may throw an IOException.

Throws

IOException	on a network level error

Interfaces

Classes

Enums

Exceptions

SSLSocket

Class Overview

See Also

Summary

Protected Constructors

protected SSLSocket ()

protected SSLSocket (String host, int port)

Parameters

Throws

protected SSLSocket (InetAddress address, int port)

Parameters

Throws

protected SSLSocket (String host, int port, InetAddress clientAddress, int clientPort)

Parameters

Throws

protected SSLSocket (InetAddress address, int port, InetAddress clientAddress, int clientPort)

Parameters

Throws

Public Methods

public abstract void addHandshakeCompletedListener (HandshakeCompletedListener listener)

Parameters

Throws

See Also

public abstract boolean getEnableSessionCreation ()

Returns

See Also

public abstract String[] getEnabledCipherSuites ()

Returns

See Also

public abstract String[] getEnabledProtocols ()

Returns

See Also

public abstract boolean getNeedClientAuth ()

Returns

See Also

public SSLParameters getSSLParameters ()

Returns

public abstract SSLSession getSession ()

Returns

public abstract String[] getSupportedCipherSuites ()

Returns

See Also

public abstract String[] getSupportedProtocols ()

Returns

public abstract boolean getUseClientMode ()

Returns

See Also

public abstract boolean getWantClientAuth ()

Returns

See Also

public abstract void removeHandshakeCompletedListener (HandshakeCompletedListener listener)

Parameters

Throws

See Also

public abstract void setEnableSessionCreation (boolean flag)

Parameters

See Also

public abstract void setEnabledCipherSuites (String[] suites)

Parameters

Throws

See Also

public abstract void setEnabledProtocols (String[] protocols)

Parameters

Throws

See Also

public abstract void setNeedClientAuth (boolean need)

Parameters

See Also

public void setSSLParameters (SSLParameters params)

Parameters

Throws

public abstract void setUseClientMode (boolean mode)

Parameters

Throws

See Also

public abstract void setWantClientAuth (boolean want)