1
/*
2
 * Copyright (c) 1997, 2020, Oracle and/or its affiliates. All rights reserved.
3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4
 *
5
 * This code is free software; you can redistribute it and/or modify it
6
 * under the terms of the GNU General Public License version 2 only, as
7
 * published by the Free Software Foundation.  Oracle designates this
8
 * particular file as subject to the "Classpath" exception as provided
9
 * by Oracle in the LICENSE file that accompanied this code.
10
 *
11
 * This code is distributed in the hope that it will be useful, but WITHOUT
12
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
14
 * version 2 for more details (a copy is included in the LICENSE file that
15
 * accompanied this code).
16
 *
17
 * You should have received a copy of the GNU General Public License version
18
 * 2 along with this work; if not, write to the Free Software Foundation,
19
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20
 *
21
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22
 * or visit www.oracle.com if you need additional information or have any
23
 * questions.
24
 */
25

26

27
package javax.net.ssl;
28

29
import java.io.IOException;
30
import java.net.*;
31
import java.util.List;
32
import java.util.function.BiFunction;
33

34
/**
35
 * This class extends <code>Socket</code>s and provides secure
36
 * socket using protocols such as the "Secure
37
 * Sockets Layer" (SSL) or IETF "Transport Layer Security" (TLS) protocols.
38
 * <P>
39
 * Such sockets are normal stream sockets, but they
40
 * add a layer of security protections over the underlying network transport
41
 * protocol, such as TCP.  Those protections include: <UL>
42
 *
43
 *      <LI> <em>Integrity Protection</em>.  SSL protects against
44
 *      modification of messages by an active wiretapper.
45
 *
46
 *      <LI> <em>Authentication</em>.  In most modes, SSL provides
47
 *      peer authentication.  Servers are usually authenticated,
48
 *      and clients may be authenticated as requested by servers.
49
 *
50
 *      <LI> <em>Confidentiality (Privacy Protection)</em>.  In most
51
 *      modes, SSL encrypts data being sent between client and server.
52
 *      This protects the confidentiality of data, so that passive
53
 *      wiretappers won't see sensitive data such as financial
54
 *      information or personal information of many kinds.
55
 *
56
 *      </UL>
57
 *
58
 * <P>These kinds of protection are specified by a "cipher suite", which
59
 * is a combination of cryptographic algorithms used by a given SSL connection.
60
 * During the negotiation process, the two endpoints must agree on
61
 * a ciphersuite that is available in both environments.
62
 * If there is no such suite in common, no SSL connection can
63
 * be established, and no data can be exchanged.
64
 *
65
 * <P> The cipher suite used is established by a negotiation process
66
 * called "handshaking".  The goal of this
67
 * process is to create or rejoin a "session", which may protect many
68
 * connections over time.  After handshaking has completed, you can access
69
 * session attributes by using the <em>getSession</em> method.
70
 * The initial handshake on this connection can be initiated in
71
 * one of three ways: <UL>
72
 *
73
 *      <LI> calling <code>startHandshake</code> which explicitly
74
 *              begins handshakes, or
75
 *      <LI> any attempt to read or write application data on
76
 *              this socket causes an implicit handshake, or
77
 *      <LI> a call to <code>getSession</code> tries to set up a session
78
 *              if there is no currently valid session, and
79
 *              an implicit handshake is done.
80
 * </UL>
81
 *
82
 * <P>If handshaking fails for any reason, the <code>SSLSocket</code>
83
 * is closed, and no further communications can be done.
84
 *
85
 * <P>There are two groups of cipher suites which you will need to know
86
 * about when managing cipher suites: <UL>
87
 *
88
 *      <LI> <em>Supported</em> cipher suites:  all the suites which are
89
 *      supported by the SSL implementation.  This list is reported
90
 *      using <em>getSupportedCipherSuites</em>.
91
 *
92
 *      <LI> <em>Enabled</em> cipher suites, which may be fewer
93
 *      than the full set of supported suites.  This group is
94
 *      set using the <em>setEnabledCipherSuites</em> method, and
95
 *      queried using the <em>getEnabledCipherSuites</em> method.
96
 *      Initially, a default set of cipher suites will be enabled on
97
 *      a new socket that represents the minimum suggested configuration.
98
 *
99
 *      </UL>
100
 *
101
 * <P> Implementation defaults require that only cipher
102
 * suites which authenticate servers and provide confidentiality
103
 * be enabled by default.
104
 * Only if both sides explicitly agree to unauthenticated and/or
105
 * non-private (unencrypted) communications will such a ciphersuite be
106
 * selected.
107
 *
108
 * <P>When <code>SSLSocket</code>s are first created, no handshaking
109
 * is done so that applications may first set their communication
110
 * preferences:  what cipher suites to use, whether the socket should be
111
 * in client or server mode, etc.
112
 * However, security is always provided by the time that application data
113
 * is sent over the connection.
114
 *
115
 * <P> You may register to receive event notification of handshake
116
 * completion.  This involves
117
 * the use of two additional classes.  <em>HandshakeCompletedEvent</em>
118
 * objects are passed to <em>HandshakeCompletedListener</em> instances,
119
 * which are registered by users of this API.
120
 *
121
 * <code>SSLSocket</code>s are created by <code>SSLSocketFactory</code>s,
122
 * or by <code>accept</code>ing a connection from a
123
 * <code>SSLServerSocket</code>.
124
 *
125
 * <P>A SSL socket must choose to operate in the client or server mode.
126
 * This will determine who begins the handshaking process, as well
127
 * as which messages should be sent by each party.  Each
128
 * connection must have one client and one server, or handshaking
129
 * will not progress properly.  Once the initial handshaking has started, a
130
 * socket can not switch between client and server modes, even when
131
 * performing renegotiations.
132
 *
133
 * @see java.net.Socket
134
 * @see SSLServerSocket
135
 * @see SSLSocketFactory
136
 *
137
 * @since 1.4
138
 * @author David Brownell
139
 */
140
public abstract class SSLSocket extends Socket
141
{
142
    /**
143
     * Used only by subclasses.
144
     * Constructs an uninitialized, unconnected TCP socket.
145
     */
146
    protected SSLSocket()
147
        { super(); }
148

149

150
    /**
151
     * Used only by subclasses.
152
     * Constructs a TCP connection to a named host at a specified port.
153
     * This acts as the SSL client.
154
     * <p>
155
     * If there is a security manager, its <code>checkConnect</code>
156
     * method is called with the host address and <code>port</code>
157
     * as its arguments. This could result in a SecurityException.
158
     *
159
     * @param host name of the host with which to connect, or
160
     *        <code>null</code> for the loopback address.
161
     * @param port number of the server's port
162
     * @throws IOException if an I/O error occurs when creating the socket
163
     * @throws SecurityException if a security manager exists and its
164
     *         <code>checkConnect</code> method doesn't allow the operation.
165
     * @throws UnknownHostException if the host is not known
166
     * @throws IllegalArgumentException if the port parameter is outside the
167
     *         specified range of valid port values, which is between 0 and
168
     *         65535, inclusive.
169
     * @see SecurityManager#checkConnect
170
     */
171
    protected SSLSocket(String host, int port)
172
    throws IOException, UnknownHostException
173
        { super(host, port); }
174

175

176
    /**
177
     * Used only by subclasses.
178
     * Constructs a TCP connection to a server at a specified address
179
     * and port.  This acts as the SSL client.
180
     * <p>
181
     * If there is a security manager, its <code>checkConnect</code>
182
     * method is called with the host address and <code>port</code>
183
     * as its arguments. This could result in a SecurityException.
184
     *
185
     * @param address the server's host
186
     * @param port its port
187
     * @throws IOException if an I/O error occurs when creating the socket
188
     * @throws SecurityException if a security manager exists and its
189
     *         <code>checkConnect</code> method doesn't allow the operation.
190
     * @throws IllegalArgumentException if the port parameter is outside the
191
     *         specified range of valid port values, which is between 0 and
192
     *         65535, inclusive.
193
     * @throws NullPointerException if <code>address</code> is null.
194
     * @see SecurityManager#checkConnect
195
     */
196
    protected SSLSocket(InetAddress address, int port)
197
    throws IOException
198
        { super(address, port); }
199

200

201
    /**
202
     * Used only by subclasses.
203
     * Constructs an SSL connection to a named host at a specified port,
204
     * binding the client side of the connection a given address and port.
205
     * This acts as the SSL client.
206
     * <p>
207
     * If there is a security manager, its <code>checkConnect</code>
208
     * method is called with the host address and <code>port</code>
209
     * as its arguments. This could result in a SecurityException.
210
     *
211
     * @param host name of the host with which to connect, or
212
     *        <code>null</code> for the loopback address.
213
     * @param port number of the server's port
214
     * @param clientAddress the client's address the socket is bound to, or
215
     *        <code>null</code> for the <code>anyLocal</code> address.
216
     * @param clientPort the client's port the socket is bound to, or
217
     *        <code>zero</code> for a system selected free port.
218
     * @throws IOException if an I/O error occurs when creating the socket
219
     * @throws SecurityException if a security manager exists and its
220
     *         <code>checkConnect</code> method doesn't allow the operation.
221
     * @throws UnknownHostException if the host is not known
222
     * @throws IllegalArgumentException if the port parameter or clientPort
223
     *         parameter is outside the specified range of valid port values,
224
     *         which is between 0 and 65535, inclusive.
225
     * @see SecurityManager#checkConnect
226
     */
227
    protected SSLSocket(String host, int port,
228
        InetAddress clientAddress, int clientPort)
229
    throws IOException, UnknownHostException
230
        { super(host, port, clientAddress, clientPort); }
231

232

233
    /**
234
     * Used only by subclasses.
235
     * Constructs an SSL connection to a server at a specified address
236
     * and TCP port, binding the client side of the connection a given
237
     * address and port.  This acts as the SSL client.
238
     * <p>
239
     * If there is a security manager, its <code>checkConnect</code>
240
     * method is called with the host address and <code>port</code>
241
     * as its arguments. This could result in a SecurityException.
242
     *
243
     * @param address the server's host
244
     * @param port its port
245
     * @param clientAddress the client's address the socket is bound to, or
246
     *        <code>null</code> for the <code>anyLocal</code> address.
247
     * @param clientPort the client's port the socket is bound to, or
248
     *        <code>zero</code> for a system selected free port.
249
     * @throws IOException if an I/O error occurs when creating the socket
250
     * @throws SecurityException if a security manager exists and its
251
     *         <code>checkConnect</code> method doesn't allow the operation.
252
     * @throws IllegalArgumentException if the port parameter or clientPort
253
     *         parameter is outside the specified range of valid port values,
254
     *         which is between 0 and 65535, inclusive.
255
     * @throws NullPointerException if <code>address</code> is null.
256
     * @see SecurityManager#checkConnect
257
     */
258
    protected SSLSocket(InetAddress address, int port,
259
        InetAddress clientAddress, int clientPort)
260
    throws IOException
261
        { super(address, port, clientAddress, clientPort); }
262

263

264
    /**
265
     * Returns the names of the cipher suites which could be enabled for use
266
     * on this connection.  Normally, only a subset of these will actually
267
     * be enabled by default, since this list may include cipher suites which
268
     * do not meet quality of service requirements for those defaults.  Such
269
     * cipher suites might be useful in specialized applications.
270
     *
271
     * @return an array of cipher suite names
272
     * @see #getEnabledCipherSuites()
273
     * @see #setEnabledCipherSuites(String [])
274
     */
275
    public abstract String [] getSupportedCipherSuites();
276

277

278
    /**
279
     * Returns the names of the SSL cipher suites which are currently
280
     * enabled for use on this connection.  When an SSLSocket is first
281
     * created, all enabled cipher suites support a minimum quality of
282
     * service.  Thus, in some environments this value might be empty.
283
     * <P>
284
     * Even if a suite has been enabled, it might never be used.  (For
285
     * example, the peer does not support it, the requisite certificates
286
     * (and private keys) for the suite are not available, or an
287
     * anonymous suite is enabled but authentication is required.
288
     *
289
     * @return an array of cipher suite names
290
     * @see #getSupportedCipherSuites()
291
     * @see #setEnabledCipherSuites(String [])
292
     */
293
    public abstract String [] getEnabledCipherSuites();
294

295

296
    /**
297
     * Sets the cipher suites enabled for use on this connection.
298
     * <P>
299
     * Each cipher suite in the <code>suites</code> parameter must have
300
     * been listed by getSupportedCipherSuites(), or the method will
301
     * fail.  Following a successful call to this method, only suites
302
     * listed in the <code>suites</code> parameter are enabled for use.
303
     * <P>
304
     * See {@link #getEnabledCipherSuites()} for more information
305
     * on why a specific ciphersuite may never be used on a connection.
306
     *
307
     * @param suites Names of all the cipher suites to enable
308
     * @throws IllegalArgumentException when one or more of the ciphers
309
     *          named by the parameter is not supported, or when the
310
     *          parameter is null.
311
     * @see #getSupportedCipherSuites()
312
     * @see #getEnabledCipherSuites()
313
     */
314
    public abstract void setEnabledCipherSuites(String suites []);
315

316

317
    /**
318
     * Returns the names of the protocols which could be enabled for use
319
     * on an SSL connection.
320
     *
321
     * @return an array of protocols supported
322
     */
323
    public abstract String [] getSupportedProtocols();
324

325

326
    /**
327
     * Returns the names of the protocol versions which are currently
328
     * enabled for use on this connection.
329
     * @see #setEnabledProtocols(String [])
330
     * @return an array of protocols
331
     */
332
    public abstract String [] getEnabledProtocols();
333

334

335
    /**
336
     * Sets the protocol versions enabled for use on this connection.
337
     * <P>
338
     * The protocols must have been listed by
339
     * <code>getSupportedProtocols()</code> as being supported.
340
     * Following a successful call to this method, only protocols listed
341
     * in the <code>protocols</code> parameter are enabled for use.
342
     *
343
     * @param protocols Names of all the protocols to enable.
344
     * @throws IllegalArgumentException when one or more of
345
     *            the protocols named by the parameter is not supported or
346
     *            when the protocols parameter is null.
347
     * @see #getEnabledProtocols()
348
     */
349
    public abstract void setEnabledProtocols(String protocols[]);
350

351

352
    /**
353
     * Returns the SSL Session in use by this connection.  These can
354
     * be long lived, and frequently correspond to an entire login session
355
     * for some user.  The session specifies a particular cipher suite
356
     * which is being actively used by all connections in that session,
357
     * as well as the identities of the session's client and server.
358
     * <P>
359
     * This method will initiate the initial handshake if
360
     * necessary and then block until the handshake has been
361
     * established.
362
     * <P>
363
     * If an error occurs during the initial handshake, this method
364
     * returns an invalid session object which reports an invalid
365
     * cipher suite of "SSL_NULL_WITH_NULL_NULL".
366
     *
367
     * @return the <code>SSLSession</code>
368
     */
369
    public abstract SSLSession getSession();
370

371

372
    /**
373
     * Returns the {@code SSLSession} being constructed during a SSL/TLS
374
     * handshake.
375
     * <p>
376
     * TLS protocols may negotiate parameters that are needed when using
377
     * an instance of this class, but before the {@code SSLSession} has
378
     * been completely initialized and made available via {@code getSession}.
379
     * For example, the list of valid signature algorithms may restrict
380
     * the type of certificates that can used during TrustManager
381
     * decisions, or the maximum TLS fragment packet sizes can be
382
     * resized to better support the network environment.
383
     * <p>
384
     * This method provides early access to the {@code SSLSession} being
385
     * constructed.  Depending on how far the handshake has progressed,
386
     * some data may not yet be available for use.  For example, if a
387
     * remote server will be sending a Certificate chain, but that chain
388
     * has yet not been processed, the {@code getPeerCertificates}
389
     * method of {@code SSLSession} will throw a
390
     * SSLPeerUnverifiedException.  Once that chain has been processed,
391
     * {@code getPeerCertificates} will return the proper value.
392
     * <p>
393
     * Unlike {@link #getSession()}, this method does not initiate the
394
     * initial handshake and does not block until handshaking is
395
     * complete.
396
     *
397
     * @see SSLEngine
398
     * @see SSLSession
399
     * @see ExtendedSSLSession
400
     * @see X509ExtendedKeyManager
401
     * @see X509ExtendedTrustManager
402
     *
403
     * @return null if this instance is not currently handshaking, or
404
     *         if the current handshake has not progressed far enough to
405
     *         create a basic SSLSession.  Otherwise, this method returns the
406
     *         {@code SSLSession} currently being negotiated.
407
     * @throws UnsupportedOperationException if the underlying provider
408
     *         does not implement the operation.
409
     *
410
     * @since 1.7
411
     */
412
    public SSLSession getHandshakeSession() {
413
        throw new UnsupportedOperationException();
414
    }
415

416

417
    /**
418
     * Registers an event listener to receive notifications that an
419
     * SSL handshake has completed on this connection.
420
     *
421
     * @param listener the HandShake Completed event listener
422
     * @see #startHandshake()
423
     * @see #removeHandshakeCompletedListener(HandshakeCompletedListener)
424
     * @throws IllegalArgumentException if the argument is null.
425
     */
426
    public abstract void addHandshakeCompletedListener(
427
        HandshakeCompletedListener listener);
428

429

430
    /**
431
     * Removes a previously registered handshake completion listener.
432
     *
433
     * @param listener the HandShake Completed event listener
434
     * @throws IllegalArgumentException if the listener is not registered,
435
     * or the argument is null.
436
     * @see #addHandshakeCompletedListener(HandshakeCompletedListener)
437
     */
438
    public abstract void removeHandshakeCompletedListener(
439
        HandshakeCompletedListener listener);
440

441

442
    /**
443
     * Starts an SSL handshake on this connection.  Common reasons include
444
     * a need to use new encryption keys, to change cipher suites, or to
445
     * initiate a new session.  To force complete reauthentication, the
446
     * current session could be invalidated before starting this handshake.
447
     *
448
     * <P> If data has already been sent on the connection, it continues
449
     * to flow during this handshake.  When the handshake completes, this
450
     * will be signaled with an event.
451
     *
452
     * This method is synchronous for the initial handshake on a connection
453
     * and returns when the negotiated handshake is complete. Some
454
     * protocols may not support multiple handshakes on an existing socket
455
     * and may throw an IOException.
456
     *
457
     * @throws IOException on a network level error
458
     * @see #addHandshakeCompletedListener(HandshakeCompletedListener)
459
     */
460
    public abstract void startHandshake() throws IOException;
461

462

463
    /**
464
     * Configures the socket to use client (or server) mode when
465
     * handshaking.
466
     * <P>
467
     * This method must be called before any handshaking occurs.
468
     * Once handshaking has begun, the mode can not be reset for the
469
     * life of this socket.
470
     * <P>
471
     * Servers normally authenticate themselves, and clients
472
     * are not required to do so.
473
     *
474
     * @param mode true if the socket should start its handshaking
475
     *          in "client" mode
476
     * @throws IllegalArgumentException if a mode change is attempted
477
     *          after the initial handshake has begun.
478
     * @see #getUseClientMode()
479
     */
480
    public abstract void setUseClientMode(boolean mode);
481

482

483
    /**
484
     * Returns true if the socket is set to use client mode when
485
     * handshaking.
486
     *
487
     * @return true if the socket should do handshaking
488
     *          in "client" mode
489
     * @see #setUseClientMode(boolean)
490
     */
491
    public abstract boolean getUseClientMode();
492

493

494
    /**
495
     * Configures the socket to <i>require</i> client authentication.  This
496
     * option is only useful for sockets in the server mode.
497
     * <P>
498
     * A socket's client authentication setting is one of the following:
499
     * <ul>
500
     * <li> client authentication required
501
     * <li> client authentication requested
502
     * <li> no client authentication desired
503
     * </ul>
504
     * <P>
505
     * Unlike {@link #setWantClientAuth(boolean)}, if this option is set and
506
     * the client chooses not to provide authentication information
507
     * about itself, <i>the negotiations will stop and the connection
508
     * will be dropped</i>.
509
     * <P>
510
     * Calling this method overrides any previous setting made by
511
     * this method or {@link #setWantClientAuth(boolean)}.
512
     *
513
     * @param   need set to true if client authentication is required,
514
     *          or false if no client authentication is desired.
515
     * @see #getNeedClientAuth()
516
     * @see #setWantClientAuth(boolean)
517
     * @see #getWantClientAuth()
518
     * @see #setUseClientMode(boolean)
519
     */
520
    public abstract void setNeedClientAuth(boolean need);
521

522

523
    /**
524
     * Returns true if the socket will <i>require</i> client authentication.
525
     * This option is only useful to sockets in the server mode.
526
     *
527
     * @return  true if client authentication is required,
528
     *          or false if no client authentication is desired.
529
     * @see #setNeedClientAuth(boolean)
530
     * @see #setWantClientAuth(boolean)
531
     * @see #getWantClientAuth()
532
     * @see #setUseClientMode(boolean)
533
     */
534
    public abstract boolean getNeedClientAuth();
535

536

537
    /**
538
     * Configures the socket to <i>request</i> client authentication.
539
     * This option is only useful for sockets in the server mode.
540
     * <P>
541
     * A socket's client authentication setting is one of the following:
542
     * <ul>
543
     * <li> client authentication required
544
     * <li> client authentication requested
545
     * <li> no client authentication desired
546
     * </ul>
547
     * <P>
548
     * Unlike {@link #setNeedClientAuth(boolean)}, if this option is set and
549
     * the client chooses not to provide authentication information
550
     * about itself, <i>the negotiations will continue</i>.
551
     * <P>
552
     * Calling this method overrides any previous setting made by
553
     * this method or {@link #setNeedClientAuth(boolean)}.
554
     *
555
     * @param   want set to true if client authentication is requested,
556
     *          or false if no client authentication is desired.
557
     * @see #getWantClientAuth()
558
     * @see #setNeedClientAuth(boolean)
559
     * @see #getNeedClientAuth()
560
     * @see #setUseClientMode(boolean)
561
     */
562
    public abstract void setWantClientAuth(boolean want);
563

564

565
    /**
566
     * Returns true if the socket will <i>request</i> client authentication.
567
     * This option is only useful for sockets in the server mode.
568
     *
569
     * @return  true if client authentication is requested,
570
     *          or false if no client authentication is desired.
571
     * @see #setNeedClientAuth(boolean)
572
     * @see #getNeedClientAuth()
573
     * @see #setWantClientAuth(boolean)
574
     * @see #setUseClientMode(boolean)
575
     */
576
    public abstract boolean getWantClientAuth();
577

578

579
    /**
580
     * Controls whether new SSL sessions may be established by this socket.
581
     * If session creations are not allowed, and there are no
582
     * existing sessions to resume, there will be no successful
583
     * handshaking.
584
     *
585
     * @param flag true indicates that sessions may be created; this
586
     *          is the default.  false indicates that an existing session
587
     *          must be resumed
588
     * @see #getEnableSessionCreation()
589
     */
590
    public abstract void setEnableSessionCreation(boolean flag);
591

592

593
    /**
594
     * Returns true if new SSL sessions may be established by this socket.
595
     *
596
     * @return true indicates that sessions may be created; this
597
     *          is the default.  false indicates that an existing session
598
     *          must be resumed
599
     * @see #setEnableSessionCreation(boolean)
600
     */
601
    public abstract boolean getEnableSessionCreation();
602

603
    /**
604
     * Returns the SSLParameters in effect for this SSLSocket.
605
     * The ciphersuites and protocols of the returned SSLParameters
606
     * are always non-null.
607
     *
608
     * @return the SSLParameters in effect for this SSLSocket.
609
     * @since 1.6
610
     */
611
    public SSLParameters getSSLParameters() {
612
        SSLParameters params = new SSLParameters();
613
        params.setCipherSuites(getEnabledCipherSuites());
614
        params.setProtocols(getEnabledProtocols());
615
        if (getNeedClientAuth()) {
616
            params.setNeedClientAuth(true);
617
        } else if (getWantClientAuth()) {
618
            params.setWantClientAuth(true);
619
        }
620
        return params;
621
    }
622

623
    /**
624
     * Applies SSLParameters to this socket.
625
     *
626
     * <p>This means:
627
     * <ul>
628
     * <li>If {@code params.getCipherSuites()} is non-null,
629
     *   {@code setEnabledCipherSuites()} is called with that value.</li>
630
     * <li>If {@code params.getProtocols()} is non-null,
631
     *   {@code setEnabledProtocols()} is called with that value.</li>
632
     * <li>If {@code params.getNeedClientAuth()} or
633
     *   {@code params.getWantClientAuth()} return {@code true},
634
     *   {@code setNeedClientAuth(true)} and
635
     *   {@code setWantClientAuth(true)} are called, respectively;
636
     *   otherwise {@code setWantClientAuth(false)} is called.</li>
637
     * <li>If {@code params.getServerNames()} is non-null, the socket will
638
     *   configure its server names with that value.</li>
639
     * <li>If {@code params.getSNIMatchers()} is non-null, the socket will
640
     *   configure its SNI matchers with that value.</li>
641
     * </ul>
642
     *
643
     * @param params the parameters
644
     * @throws IllegalArgumentException if the setEnabledCipherSuites() or
645
     *    the setEnabledProtocols() call fails
646
     * @since 1.6
647
     */
648
    public void setSSLParameters(SSLParameters params) {
649
        String[] s;
650
        s = params.getCipherSuites();
651
        if (s != null) {
652
            setEnabledCipherSuites(s);
653
        }
654
        s = params.getProtocols();
655
        if (s != null) {
656
            setEnabledProtocols(s);
657
        }
658
        if (params.getNeedClientAuth()) {
659
            setNeedClientAuth(true);
660
        } else if (params.getWantClientAuth()) {
661
            setWantClientAuth(true);
662
        } else {
663
            setWantClientAuth(false);
664
        }
665
    }
666

667
    /**
668
     * Returns the most recent application protocol value negotiated for this
669
     * connection.
670
     * <p>
671
     * If supported by the underlying SSL/TLS/DTLS implementation,
672
     * application name negotiation mechanisms such as <a
673
     * href="http://www.ietf.org/rfc/rfc7301.txt"> RFC 7301 </a>, the
674
     * Application-Layer Protocol Negotiation (ALPN), can negotiate
675
     * application-level values between peers.
676
     *
677
     * @implSpec
678
     * The implementation in this class throws
679
     * {@code UnsupportedOperationException} and performs no other action.
680
     *
681
     * @return null if it has not yet been determined if application
682
     *         protocols might be used for this connection, an empty
683
     *         {@code String} if application protocols values will not
684
     *         be used, or a non-empty application protocol {@code String}
685
     *         if a value was successfully negotiated.
686
     * @throws UnsupportedOperationException if the underlying provider
687
     *         does not implement the operation.
688
     * @since 8
689
     */
690
    public String getApplicationProtocol() {
691
        throw new UnsupportedOperationException();
692
    }
693

694
    /**
695
     * Returns the application protocol value negotiated on a SSL/TLS
696
     * handshake currently in progress.
697
     * <p>
698
     * Like {@link #getHandshakeSession()},
699
     * a connection may be in the middle of a handshake. The
700
     * application protocol may or may not yet be available.
701
     *
702
     * @implSpec
703
     * The implementation in this class throws
704
     * {@code UnsupportedOperationException} and performs no other action.
705
     *
706
     * @return null if it has not yet been determined if application
707
     *         protocols might be used for this handshake, an empty
708
     *         {@code String} if application protocols values will not
709
     *         be used, or a non-empty application protocol {@code String}
710
     *         if a value was successfully negotiated.
711
     * @throws UnsupportedOperationException if the underlying provider
712
     *         does not implement the operation.
713
     * @since 8
714
     */
715
    public String getHandshakeApplicationProtocol() {
716
        throw new UnsupportedOperationException();
717
    }
718

719

720
    /**
721
     * Registers a callback function that selects an application protocol
722
     * value for a SSL/TLS/DTLS handshake.
723
     * The function overrides any values supplied using
724
     * {@link SSLParameters#setApplicationProtocols
725
     * SSLParameters.setApplicationProtocols} and it supports the following
726
     * type parameters:
727
     * <blockquote>
728
     * <dl>
729
     * <dt> {@code SSLSocket}
730
     * <dd> The function's first argument allows the current {@code SSLSocket}
731
     *      to be inspected, including the handshake session and configuration
732
     *      settings.
733
     * <dt> {@code List<String>}
734
     * <dd> The function's second argument lists the application protocol names
735
     *      advertised by the TLS peer.
736
     * <dt> {@code String}
737
     * <dd> The function's result is an application protocol name, or null to
738
     *      indicate that none of the advertised names are acceptable.
739
     *      If the return value is an empty {@code String} then application
740
     *      protocol indications will not be used.
741
     *      If the return value is null (no value chosen) or is a value that
742
     *      was not advertised by the peer, the underlying protocol will
743
     *      determine what action to take. (For example, ALPN will send a
744
     *      "no_application_protocol" alert and terminate the connection.)
745
     * </dl>
746
     * </blockquote>
747
     *
748
     * For example, the following call registers a callback function that
749
     * examines the TLS handshake parameters and selects an application protocol
750
     * name:
751
     * <pre>{@code
752
     *     serverSocket.setHandshakeApplicationProtocolSelector(
753
     *         (serverSocket, clientProtocols) -> {
754
     *             SSLSession session = serverSocket.getHandshakeSession();
755
     *             return chooseApplicationProtocol(
756
     *                 serverSocket,
757
     *                 clientProtocols,
758
     *                 session.getProtocol(),
759
     *                 session.getCipherSuite());
760
     *         });
761
     * }</pre>
762
     *
763
     * @apiNote
764
     * This method should be called by TLS server applications before the TLS
765
     * handshake begins. Also, this {@code SSLSocket} should be configured with
766
     * parameters that are compatible with the application protocol selected by
767
     * the callback function. For example, enabling a poor choice of cipher
768
     * suites could result in no suitable application protocol.
769
     * See {@link SSLParameters}.
770
     *
771
     * @implSpec
772
     * The implementation in this class throws
773
     * {@code UnsupportedOperationException} and performs no other action.
774
     *
775
     * @param selector the callback function, or null to de-register.
776
     * @throws UnsupportedOperationException if the underlying provider
777
     *         does not implement the operation.
778
     * @since 8
779
     */
780
    public void setHandshakeApplicationProtocolSelector(
781
            BiFunction<SSLSocket, List<String>, String> selector) {
782
        throw new UnsupportedOperationException();
783
    }
784

785
    /**
786
     * Retrieves the callback function that selects an application protocol
787
     * value during a SSL/TLS/DTLS handshake.
788
     * See {@link #setHandshakeApplicationProtocolSelector
789
     * setHandshakeApplicationProtocolSelector}
790
     * for the function's type parameters.
791
     *
792
     * @implSpec
793
     * The implementation in this class throws
794
     * {@code UnsupportedOperationException} and performs no other action.
795
     *
796
     * @return the callback function, or null if none has been set.
797
     * @throws UnsupportedOperationException if the underlying provider
798
     *         does not implement the operation.
799
     * @since 8
800
     */
801
    public BiFunction<SSLSocket, List<String>, String>
802
            getHandshakeApplicationProtocolSelector() {
803
        throw new UnsupportedOperationException();
804
    }
805
}
806

807