Package io.servicetalk.transport.api

Interface SslConfig

All Known Subinterfaces:
ClientSslConfig, ServerSslConfig
All Known Implementing Classes:
DelegatingClientSslConfig, DelegatingServerSslConfig, DelegatingSslConfig
public interface SslConfig
Specifies the configuration for TLS/SSL.

  • Method Details

    • trustManagerFactory

      @Nullable TrustManagerFactory trustManagerFactory()
      Get the TrustManagerFactory used for verifying the remote endpoint's certificate.
      Returns:
      the TrustManagerFactory used for verifying the remote endpoint's certificate.

    • trustCertChainSupplier

      @Nullable Supplier<InputStream> trustCertChainSupplier()
      Get the trusted certificates for verifying the remote endpoint's certificate. The input stream should contain an X.509 certificate chain in PEM format.
      Returns:
      the trusted certificates for verifying the remote endpoint's certificate. The input stream should contain an X.509 certificate chain in PEM format.

      Each invocation of the Supplier should provide an independent instance of InputStream and the caller is responsible for invoking InputStream.close().

    • keyManagerFactory

      @Nullable KeyManagerFactory keyManagerFactory()
      Get the KeyManagerFactory to use for the SSL/TLS handshake.
      Returns:
      the KeyManagerFactory to use for the SSL/TLS handshake.

    • keyCertChainSupplier

      @Nullable Supplier<InputStream> keyCertChainSupplier()
      Get a InputStream which provides X.509 certificate chain in PEM format associated with keySupplier().
      Returns:
      the certificate chain associated with keySupplier().

      Each invocation of the Supplier should provide an independent instance of InputStream and the caller is responsible for invoking InputStream.close().

    • keySupplier

      @Nullable Supplier<InputStream> keySupplier()
      Get a InputStream which provides a PKCS#8 private key in PEM format associated with keyCertChainSupplier().
      Returns:
      a InputStream which provides a PKCS#8 private key in PEM format associated with keyCertChainSupplier().

      Each invocation of the Supplier should provide an independent instance of InputStream and the caller is responsible for invoking InputStream.close().

    • keyPassword

      @Nullable String keyPassword()
      Get the password required to access the key material (e.g. from keySupplier()).
      Returns:
      the password required to access the key material (e.g. from keySupplier()).

    • sslProtocols

      @Nullable List<String> sslProtocols()
      Get the TLS protocols to enable, in the order of preference.
      Returns:
      the TLS protocols to enable, in the order of preference.
      See Also:

    • alpnProtocols

      @Nullable List<String> alpnProtocols()
      Get the TLS ALPN protocols.

      Note that each ALPN protocol typically requires corresponding configuration at the protocol layer and as a result maybe inferred and overridden by the protocol layer.

      Returns:
      the TLS ALPN protocols.

    • ciphers

      @Nullable List<String> ciphers()
      Get the cipher suites to enable, in the order of preference.
      Returns:
      the cipher suites to enable, in the order of preference.
      See Also:

    • cipherSuiteFilter

      default SslConfig.CipherSuiteFilter cipherSuiteFilter()
      Defines filtering behavior for ciphers suites.
      Returns:
      filtering behavior for ciphers suites.
      See Also:

    • sessionCacheSize

      long sessionCacheSize()
      Get the size of the cache used for storing SSL session objects.
      Returns:
      the size of the cache used for storing SSL session objects.
      See Also:

    • sessionTimeout

      long sessionTimeout()
      Get the timeout for the cached SSL session objects, in seconds.
      Returns:
      the timeout for the cached SSL session objects, in seconds.
      See Also:

    • provider

      @Nullable SslProvider provider()
      Get the SslProvider to use.
      Returns:
      the SslProvider to use.

    • certificateCompressionAlgorithms

      @Nullable default List<CertificateCompressionAlgorithm> certificateCompressionAlgorithms()
      Get the list of usable CertificateCompressionAlgorithms to advertise.

      If this method returns null (by default) or an empty list, no certificate compression algorithms will be advertised during the TLS handshake which effectively disables this feature. Note that even though they are advertised, the other side is not required per RFC to compress so certificates might still be sent uncompressed.

      Also note that this feature is only available with:

      Returns:
      the list of certificate compression algorithms to advertise.
      See Also:

    • handshakeTimeout

      default Duration handshakeTimeout()
      Get the timeout for the handshake process.

      Implementations can round the returned Duration to full time units, depending on their time granularity. Zero duration disables the timeout.

      Returns:
      the timeout for the handshake process or Duration.ZERO to disable it.

    • maxCertificateListBytes

      default int maxCertificateListBytes()
      Get the preferred maximum allowed size of the certificate chain in bytes. This may not be respected and depends on if the SSLEngine supports this feature.
      Returns:
      Maximum number of bytes for the certificate chain, or <=0 to use the default limit.