Interface SslConfig
- All Known Subinterfaces:
ClientSslConfig
,ServerSslConfig
- All Known Implementing Classes:
DelegatingClientSslConfig
,DelegatingServerSslConfig
,DelegatingSslConfig
-
Nested Class Summary
Modifier and TypeInterfaceDescriptionstatic enum
Defines filtering logic for ciphers suites. -
Method Summary
Modifier and TypeMethodDescriptionGet the TLS ALPN protocols.default List<CertificateCompressionAlgorithm>
Get the list of usableCertificateCompressionAlgorithms
to advertise.ciphers()
Get the cipher suites to enable, in the order of preference.default SslConfig.CipherSuiteFilter
Defines filtering behavior for ciphers suites.default Duration
Get the timeout for the handshake process.Get aInputStream
which providesX.509
certificate chain inPEM
format associated withkeySupplier()
.Get theKeyManagerFactory
to use for the SSL/TLS handshake.Get the password required to access the key material (e.g.Get aInputStream
which provides aPKCS#8
private key inPEM
format associated withkeyCertChainSupplier()
.default int
Get the preferred maximum allowed size of the certificate chain in bytes.provider()
Get theSslProvider
to use.long
Get the size of the cache used for storing SSL session objects.long
Get the timeout for the cached SSL session objects, in seconds.Get the TLS protocols to enable, in the order of preference.Get the trusted certificates for verifying the remote endpoint's certificate.Get theTrustManagerFactory
used for verifying the remote endpoint's certificate.
-
Method Details
-
trustManagerFactory
Get theTrustManagerFactory
used for verifying the remote endpoint's certificate.- Returns:
- the
TrustManagerFactory
used for verifying the remote endpoint's certificate.
-
trustCertChainSupplier
Get the trusted certificates for verifying the remote endpoint's certificate. The input stream should contain anX.509
certificate chain inPEM
format.- Returns:
- the trusted certificates for verifying the remote endpoint's certificate. The input stream should
contain an
X.509
certificate chain inPEM
format.Each invocation of the
Supplier
should provide an independent instance ofInputStream
and the caller is responsible for invokingInputStream.close()
.
-
keyManagerFactory
Get theKeyManagerFactory
to use for the SSL/TLS handshake.- Returns:
- the
KeyManagerFactory
to use for the SSL/TLS handshake.
-
keyCertChainSupplier
Get aInputStream
which providesX.509
certificate chain inPEM
format associated withkeySupplier()
.- Returns:
- the certificate chain associated with
keySupplier()
.Each invocation of the
Supplier
should provide an independent instance ofInputStream
and the caller is responsible for invokingInputStream.close()
.
-
keySupplier
Get aInputStream
which provides aPKCS#8
private key inPEM
format associated withkeyCertChainSupplier()
.- Returns:
- a
InputStream
which provides aPKCS#8
private key inPEM
format associated withkeyCertChainSupplier()
.Each invocation of the
Supplier
should provide an independent instance ofInputStream
and the caller is responsible for invokingInputStream.close()
.
-
keyPassword
Get the password required to access the key material (e.g. fromkeySupplier()
).- Returns:
- the password required to access the key material (e.g. from
keySupplier()
).
-
sslProtocols
Get the TLS protocols to enable, in the order of preference.- Returns:
- the TLS protocols to enable, in the order of preference.
- See Also:
-
alpnProtocols
Get the TLS ALPN protocols.Note that each ALPN protocol typically requires corresponding configuration at the protocol layer and as a result maybe inferred and overridden by the protocol layer.
- Returns:
- the TLS ALPN protocols.
-
ciphers
Get the cipher suites to enable, in the order of preference.- Returns:
- the cipher suites to enable, in the order of preference.
- See Also:
-
cipherSuiteFilter
Defines filtering behavior for ciphers suites.- Returns:
- filtering behavior for ciphers suites.
- See Also:
-
sessionCacheSize
long sessionCacheSize()Get the size of the cache used for storing SSL session objects.- Returns:
- the size of the cache used for storing SSL session objects.
- See Also:
-
sessionTimeout
long sessionTimeout()Get the timeout for the cached SSL session objects, in seconds.- Returns:
- the timeout for the cached SSL session objects, in seconds.
- See Also:
-
provider
Get theSslProvider
to use.- Returns:
- the
SslProvider
to use.
-
certificateCompressionAlgorithms
Get the list of usableCertificateCompressionAlgorithms
to advertise.If this method returns null (by default) or an empty list, no certificate compression algorithms will be advertised during the TLS handshake which effectively disables this feature. Note that even though they are advertised, the other side is not required per RFC to compress so certificates might still be sent uncompressed.
Also note that this feature is only available with:
- BoringSSL implementation of
SslProvider.OPENSSL
. Provided compression algorithms are ignored when theSslProvider.JDK
is used. - TLSv1.3 or above.
- Returns:
- the list of certificate compression algorithms to advertise.
- See Also:
- BoringSSL implementation of
-
handshakeTimeout
Get the timeout for the handshake process.Implementations can round the returned
Duration
to full time units, depending on their time granularity.Zero duration
disables the timeout.- Returns:
- the timeout for the handshake process or
Duration.ZERO
to disable it.
-
maxCertificateListBytes
default int maxCertificateListBytes()Get the preferred maximum allowed size of the certificate chain in bytes. This may not be respected and depends on if theSSLEngine
supports this feature.- Returns:
- Maximum number of bytes for the certificate chain, or
<=0
to use the default limit.
-