The core class in this new abstraction is It encapsulates an SSL/TLS state machine and operates on inbound and outbound byte buffers supplied by the user of the SSLEngine. The following diagram illustrates the flow of data from the application, to the SSLEngine, to the transport mechanism, and back.
The image is described in the following text.

The application supplies application (plaintext) data in an application buffer and passes it to the SSLEngine. The SSLEngine processes the data contained in the buffer, or any handshaking data, to produce SSL/TLS encoded data and places it the network buffer supplied by the application. The application is then responsible for using an appropriate transport to send the contents of the network buffer to its peer. Upon receiving SSL/TLS encoded data from its peer (via the transport), the application places the data into a network buffer and passes it to SSLEngine. The SSLEngine processes the network buffer's contents to produce handshaking data or application data.

In all, SSLEngine can be in one of five states.

  1. Creation - ready to be configured.
  2. Initial handshaking - perform authentication and negotiate communication parameters.
  3. Application data - ready for application exchange.
  4. Rehandshaking - renegotiate communications parameters/authentication; handshaking data may be mixed with application data.
  5. Closure - ready to shut down connection.

The five states are described in more detail in the SSLEngine class documentation.