1 /* 2 * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 27 package javax.net.ssl; 28 29 import java.io.*; 30 import java.net.*; 31 32 33 /** 34 * This class extends <code>ServerSocket</code>s and 35 * provides secure server sockets using protocols such as the Secure 36 * Sockets Layer (SSL) or Transport Layer Security (TLS) protocols. 37 * <P> 38 * Instances of this class are generally created using a 39 * <code>SSLServerSocketFactory</code>. The primary function 40 * of <code>SSLServerSocket</code>s 41 * is to create <code>SSLSocket</code>s by <code>accept</code>ing 42 * connections. 43 * <P> 44 * <code>SSLServerSocket</code>s contain several pieces of state data 45 * which are inherited by the <code>SSLSocket</code> at 46 * socket creation. These include the enabled cipher 47 * suites and protocols, whether client 48 * authentication is necessary, and whether created sockets should 49 * begin handshaking in client or server mode. The state 50 * inherited by the created <code>SSLSocket</code> can be 51 * overriden by calling the appropriate methods. 52 * 53 * @see java.net.ServerSocket 54 * @see SSLSocket 55 * 56 * @since 1.4 57 * @author David Brownell 58 */ 59 public abstract class SSLServerSocket extends ServerSocket { 60 61 /** 62 * Used only by subclasses. 63 * <P> 64 * Create an unbound TCP server socket using the default authentication 65 * context. 66 * 67 * @throws IOException if an I/O error occurs when creating the socket 68 */ 69 protected SSLServerSocket() 70 throws IOException 71 { super(); } 72 73 74 /** 75 * Used only by subclasses. 76 * <P> 77 * Create a TCP server socket on a port, using the default 78 * authentication context. The connection backlog defaults to 79 * fifty connections queued up before the system starts to 80 * reject new connection requests. 81 * <P> 82 * A port number of <code>0</code> creates a socket on any free port. 83 * <P> 84 * If there is a security manager, its <code>checkListen</code> 85 * method is called with the <code>port</code> argument as its 86 * argument to ensure the operation is allowed. This could result 87 * in a SecurityException. 88 * 89 * @param port the port on which to listen 90 * @throws IOException if an I/O error occurs when creating the socket 91 * @throws SecurityException if a security manager exists and its 92 * <code>checkListen</code> method doesn't allow the operation. 93 * @throws IllegalArgumentException if the port parameter is outside the 94 * specified range of valid port values, which is between 0 and 95 * 65535, inclusive. 96 * @see SecurityManager#checkListen 97 */ 98 protected SSLServerSocket(int port) 99 throws IOException 100 { super(port); } 101 102 103 /** 104 * Used only by subclasses. 105 * <P> 106 * Create a TCP server socket on a port, using the default 107 * authentication context and a specified backlog of connections. 108 * <P> 109 * A port number of <code>0</code> creates a socket on any free port. 110 * <P> 111 * The <code>backlog</code> argument is the requested maximum number of 112 * pending connections on the socket. Its exact semantics are implementation 113 * specific. In particular, an implementation may impose a maximum length 114 * or may choose to ignore the parameter altogther. The value provided 115 * should be greater than <code>0</code>. If it is less than or equal to 116 * <code>0</code>, then an implementation specific default will be used. 117 * <P> 118 * If there is a security manager, its <code>checkListen</code> 119 * method is called with the <code>port</code> argument as its 120 * argument to ensure the operation is allowed. This could result 121 * in a SecurityException. 122 * 123 * @param port the port on which to listen 124 * @param backlog requested maximum length of the queue of incoming 125 * connections. 126 * @throws IOException if an I/O error occurs when creating the socket 127 * @throws SecurityException if a security manager exists and its 128 * <code>checkListen</code> method doesn't allow the operation. 129 * @throws IllegalArgumentException if the port parameter is outside the 130 * specified range of valid port values, which is between 0 and 131 * 65535, inclusive. 132 * @see SecurityManager#checkListen 133 */ 134 protected SSLServerSocket(int port, int backlog) 135 throws IOException 136 { super(port, backlog); } 137 138 139 /** 140 * Used only by subclasses. 141 * <P> 142 * Create a TCP server socket on a port, using the default 143 * authentication context and a specified backlog of connections 144 * as well as a particular specified network interface. This 145 * constructor is used on multihomed hosts, such as those used 146 * for firewalls or as routers, to control through which interface 147 * a network service is provided. 148 * <P> 149 * If there is a security manager, its <code>checkListen</code> 150 * method is called with the <code>port</code> argument as its 151 * argument to ensure the operation is allowed. This could result 152 * in a SecurityException. 153 * <P> 154 * A port number of <code>0</code> creates a socket on any free port. 155 * <P> 156 * The <code>backlog</code> argument is the requested maximum number of 157 * pending connections on the socket. Its exact semantics are implementation 158 * specific. In particular, an implementation may impose a maximum length 159 * or may choose to ignore the parameter altogther. The value provided 160 * should be greater than <code>0</code>. If it is less than or equal to 161 * <code>0</code>, then an implementation specific default will be used. 162 * <P> 163 * If <i>address</i> is null, it will default accepting connections 164 * on any/all local addresses. 165 * 166 * @param port the port on which to listen 167 * @param backlog requested maximum length of the queue of incoming 168 * connections. 169 * @param address the address of the network interface through 170 * which connections will be accepted 171 * @throws IOException if an I/O error occurs when creating the socket 172 * @throws SecurityException if a security manager exists and its 173 * <code>checkListen</code> method doesn't allow the operation. 174 * @throws IllegalArgumentException if the port parameter is outside the 175 * specified range of valid port values, which is between 0 and 176 * 65535, inclusive. 177 * @see SecurityManager#checkListen 178 */ 179 protected SSLServerSocket(int port, int backlog, InetAddress address) 180 throws IOException 181 { super(port, backlog, address); } 182 183 184 185 /** 186 * Returns the list of cipher suites which are currently enabled 187 * for use by newly accepted connections. 188 * <P> 189 * If this list has not been explicitly modified, a system-provided 190 * default guarantees a minimum quality of service in all enabled 191 * cipher suites. 192 * <P> 193 * There are several reasons why an enabled cipher suite might 194 * not actually be used. For example: the server socket might 195 * not have appropriate private keys available to it or the cipher 196 * suite might be anonymous, precluding the use of client authentication, 197 * while the server socket has been told to require that sort of 198 * authentication. 199 * 200 * @return an array of cipher suites enabled 201 * @see #getSupportedCipherSuites() 202 * @see #setEnabledCipherSuites(String []) 203 */ 204 public abstract String [] getEnabledCipherSuites(); 205 206 207 /** 208 * Sets the cipher suites enabled for use by accepted connections. 209 * <P> 210 * The cipher suites must have been listed by getSupportedCipherSuites() 211 * as being supported. Following a successful call to this method, 212 * only suites listed in the <code>suites</code> parameter are enabled 213 * for use. 214 * <P> 215 * Suites that require authentication information which is not available 216 * in this ServerSocket's authentication context will not be used 217 * in any case, even if they are enabled. 218 * <P> 219 * <code>SSLSocket</code>s returned from <code>accept()</code> 220 * inherit this setting. 221 * 222 * @param suites Names of all the cipher suites to enable 223 * @exception IllegalArgumentException when one or more of ciphers 224 * named by the parameter is not supported, or when 225 * the parameter is null. 226 * @see #getSupportedCipherSuites() 227 * @see #getEnabledCipherSuites() 228 */ 229 public abstract void setEnabledCipherSuites(String suites []); 230 231 232 /** 233 * Returns the names of the cipher suites which could be enabled for use 234 * on an SSL connection. 235 * <P> 236 * Normally, only a subset of these will actually 237 * be enabled by default, since this list may include cipher suites which 238 * do not meet quality of service requirements for those defaults. Such 239 * cipher suites are useful in specialized applications. 240 * 241 * @return an array of cipher suite names 242 * @see #getEnabledCipherSuites() 243 * @see #setEnabledCipherSuites(String []) 244 */ 245 public abstract String [] getSupportedCipherSuites(); 246 247 248 /** 249 * Returns the names of the protocols which could be enabled for use. 250 * 251 * @return an array of protocol names supported 252 * @see #getEnabledProtocols() 253 * @see #setEnabledProtocols(String []) 254 */ 255 public abstract String [] getSupportedProtocols(); 256 257 258 /** 259 * Returns the names of the protocols which are currently 260 * enabled for use by the newly accepted connections. 261 * 262 * @return an array of protocol names 263 * @see #getSupportedProtocols() 264 * @see #setEnabledProtocols(String []) 265 */ 266 public abstract String [] getEnabledProtocols(); 267 268 269 // Android-added: Added paragraph about contiguous protocols. 270 /** 271 * Controls which particular protocols are enabled for use by 272 * accepted connections. 273 * <P> 274 * The protocols must have been listed by 275 * getSupportedProtocols() as being supported. 276 * Following a successful call to this method, only protocols listed 277 * in the <code>protocols</code> parameter are enabled for use. 278 * <p> 279 * Because of the way the protocol version is negotiated, connections 280 * will only be able to use a member of the lowest set of contiguous 281 * enabled protocol versions. For example, enabling TLSv1.2 and TLSv1 282 * will result in connections only being able to use TLSv1. 283 * <P> 284 * <code>SSLSocket</code>s returned from <code>accept()</code> 285 * inherit this setting. 286 * 287 * @param protocols Names of all the protocols to enable. 288 * @exception IllegalArgumentException when one or more of 289 * the protocols named by the parameter is not supported or 290 * when the protocols parameter is null. 291 * @see #getEnabledProtocols() 292 * @see #getSupportedProtocols() 293 */ 294 public abstract void setEnabledProtocols(String protocols[]); 295 296 297 /** 298 * Controls whether <code>accept</code>ed server-mode 299 * <code>SSLSockets</code> will be initially configured to 300 * <i>require</i> client authentication. 301 * <P> 302 * A socket's client authentication setting is one of the following: 303 * <ul> 304 * <li> client authentication required 305 * <li> client authentication requested 306 * <li> no client authentication desired 307 * </ul> 308 * <P> 309 * Unlike {@link #setWantClientAuth(boolean)}, if the accepted 310 * socket's option is set and the client chooses not to provide 311 * authentication information about itself, <i>the negotiations 312 * will stop and the connection will be dropped</i>. 313 * <P> 314 * Calling this method overrides any previous setting made by 315 * this method or {@link #setWantClientAuth(boolean)}. 316 * <P> 317 * The initial inherited setting may be overridden by calling 318 * {@link SSLSocket#setNeedClientAuth(boolean)} or 319 * {@link SSLSocket#setWantClientAuth(boolean)}. 320 * 321 * @param need set to true if client authentication is required, 322 * or false if no client authentication is desired. 323 * @see #getNeedClientAuth() 324 * @see #setWantClientAuth(boolean) 325 * @see #getWantClientAuth() 326 * @see #setUseClientMode(boolean) 327 */ 328 public abstract void setNeedClientAuth(boolean need); 329 330 331 /** 332 * Returns true if client authentication will be <i>required</i> on 333 * newly <code>accept</code>ed server-mode <code>SSLSocket</code>s. 334 * <P> 335 * The initial inherited setting may be overridden by calling 336 * {@link SSLSocket#setNeedClientAuth(boolean)} or 337 * {@link SSLSocket#setWantClientAuth(boolean)}. 338 * 339 * @return true if client authentication is required, 340 * or false if no client authentication is desired. 341 * @see #setNeedClientAuth(boolean) 342 * @see #setWantClientAuth(boolean) 343 * @see #getWantClientAuth() 344 * @see #setUseClientMode(boolean) 345 */ 346 public abstract boolean getNeedClientAuth(); 347 348 349 /** 350 * Controls whether <code>accept</code>ed server-mode 351 * <code>SSLSockets</code> will be initially configured to 352 * <i>request</i> client authentication. 353 * <P> 354 * A socket's client authentication setting is one of the following: 355 * <ul> 356 * <li> client authentication required 357 * <li> client authentication requested 358 * <li> no client authentication desired 359 * </ul> 360 * <P> 361 * Unlike {@link #setNeedClientAuth(boolean)}, if the accepted 362 * socket's option is set and the client chooses not to provide 363 * authentication information about itself, <i>the negotiations 364 * will continue</i>. 365 * <P> 366 * Calling this method overrides any previous setting made by 367 * this method or {@link #setNeedClientAuth(boolean)}. 368 * <P> 369 * The initial inherited setting may be overridden by calling 370 * {@link SSLSocket#setNeedClientAuth(boolean)} or 371 * {@link SSLSocket#setWantClientAuth(boolean)}. 372 * 373 * @param want set to true if client authentication is requested, 374 * or false if no client authentication is desired. 375 * @see #getWantClientAuth() 376 * @see #setNeedClientAuth(boolean) 377 * @see #getNeedClientAuth() 378 * @see #setUseClientMode(boolean) 379 */ 380 public abstract void setWantClientAuth(boolean want); 381 382 383 /** 384 * Returns true if client authentication will be <i>requested</i> on 385 * newly accepted server-mode connections. 386 * <P> 387 * The initial inherited setting may be overridden by calling 388 * {@link SSLSocket#setNeedClientAuth(boolean)} or 389 * {@link SSLSocket#setWantClientAuth(boolean)}. 390 * 391 * @return true if client authentication is requested, 392 * or false if no client authentication is desired. 393 * @see #setWantClientAuth(boolean) 394 * @see #setNeedClientAuth(boolean) 395 * @see #getNeedClientAuth() 396 * @see #setUseClientMode(boolean) 397 */ 398 public abstract boolean getWantClientAuth(); 399 400 401 /** 402 * Controls whether accepted connections are in the (default) SSL 403 * server mode, or the SSL client mode. 404 * <P> 405 * Servers normally authenticate themselves, and clients are not 406 * required to do so. 407 * <P> 408 * In rare cases, TCP servers 409 * need to act in the SSL client mode on newly accepted 410 * connections. For example, FTP clients acquire server sockets 411 * and listen there for reverse connections from the server. An 412 * FTP client would use an SSLServerSocket in "client" mode to 413 * accept the reverse connection while the FTP server uses an 414 * SSLSocket with "client" mode disabled to initiate the 415 * connection. During the resulting handshake, existing SSL 416 * sessions may be reused. 417 * <P> 418 * <code>SSLSocket</code>s returned from <code>accept()</code> 419 * inherit this setting. 420 * 421 * @param mode true if newly accepted connections should use SSL 422 * client mode. 423 * @see #getUseClientMode() 424 */ 425 public abstract void setUseClientMode(boolean mode); 426 427 428 /** 429 * Returns true if accepted connections will be in SSL client mode. 430 * 431 * @see #setUseClientMode(boolean) 432 * @return true if the connection should use SSL client mode. 433 */ 434 public abstract boolean getUseClientMode(); 435 436 437 /** 438 * Controls whether new SSL sessions may be established by the 439 * sockets which are created from this server socket. 440 * <P> 441 * <code>SSLSocket</code>s returned from <code>accept()</code> 442 * inherit this setting. 443 * 444 * @param flag true indicates that sessions may be created; this 445 * is the default. false indicates that an existing session 446 * must be resumed. 447 * @see #getEnableSessionCreation() 448 */ 449 public abstract void setEnableSessionCreation(boolean flag); 450 451 452 /** 453 * Returns true if new SSL sessions may be established by the 454 * sockets which are created from this server socket. 455 * 456 * @return true indicates that sessions may be created; this 457 * is the default. false indicates that an existing 458 * session must be resumed 459 * @see #setEnableSessionCreation(boolean) 460 */ 461 public abstract boolean getEnableSessionCreation(); 462 463 /** 464 * Returns the SSLParameters in effect for newly accepted connections. 465 * The ciphersuites and protocols of the returned SSLParameters 466 * are always non-null. 467 * 468 * @return the SSLParameters in effect for newly accepted connections 469 * 470 * @see #setSSLParameters(SSLParameters) 471 * 472 * @since 1.7 473 */ 474 public SSLParameters getSSLParameters() { 475 SSLParameters parameters = new SSLParameters(); 476 477 parameters.setCipherSuites(getEnabledCipherSuites()); 478 parameters.setProtocols(getEnabledProtocols()); 479 if (getNeedClientAuth()) { 480 parameters.setNeedClientAuth(true); 481 } else if (getWantClientAuth()) { 482 parameters.setWantClientAuth(true); 483 } 484 485 return parameters; 486 } 487 488 /** 489 * Applies SSLParameters to newly accepted connections. 490 * 491 * <p>This means: 492 * <ul> 493 * <li>If {@code params.getCipherSuites()} is non-null, 494 * {@code setEnabledCipherSuites()} is called with that value.</li> 495 * <li>If {@code params.getProtocols()} is non-null, 496 * {@code setEnabledProtocols()} is called with that value.</li> 497 * <li>If {@code params.getNeedClientAuth()} or 498 * {@code params.getWantClientAuth()} return {@code true}, 499 * {@code setNeedClientAuth(true)} and 500 * {@code setWantClientAuth(true)} are called, respectively; 501 * otherwise {@code setWantClientAuth(false)} is called.</li> 502 * <li>If {@code params.getServerNames()} is non-null, the socket will 503 * configure its server names with that value.</li> 504 * <li>If {@code params.getSNIMatchers()} is non-null, the socket will 505 * configure its SNI matchers with that value.</li> 506 * </ul> 507 * 508 * @param params the parameters 509 * @throws IllegalArgumentException if the setEnabledCipherSuites() or 510 * the setEnabledProtocols() call fails 511 * 512 * @see #getSSLParameters() 513 * 514 * @since 1.7 515 */ 516 public void setSSLParameters(SSLParameters params) { 517 String[] s; 518 s = params.getCipherSuites(); 519 if (s != null) { 520 setEnabledCipherSuites(s); 521 } 522 523 s = params.getProtocols(); 524 if (s != null) { 525 setEnabledProtocols(s); 526 } 527 528 if (params.getNeedClientAuth()) { 529 setNeedClientAuth(true); 530 } else if (params.getWantClientAuth()) { 531 setWantClientAuth(true); 532 } else { 533 setWantClientAuth(false); 534 } 535 } 536 537 // Android-added: Make toString explicit that this is an SSLServerSocket (http://b/6602228) 538 @Override 539 public String toString() { 540 return "SSL" + super.toString(); 541 } 542 543 } 544