SSLParameters Class

The SSLParameters class encapsulates items that affect a TLS connection:

• The list of ciphersuites to be accepted in an SSL/TLS handshake.
• The list of protocols to be allowed.
• The endpoint identification algorithm during SSL/TLS handshaking.
• The server names and server name matchers (see Server Name Indication (SNI) Extension).
• The algorithm constraints.
• Whether SSL/TLS servers should request or require client authentication.
• The cipher suite preference to be used in an SSL/TLS handshake.

You can retrieve the current SSLParameters object for an SSLSocket or SSLEngine object by using the following methods:

• getSSLParameters() in the SSLSocket, SSLServerSocket and SSLEngine classes
• getDefaultSSLParameters() and getSupportedSSLParamters() in the SSLContext class

You can explicitly set the server name indication with the SSLParameters.setServerNames() method. The server name indication in client mode also affects endpoint identification. In the implementation of X509ExtendedTrustManager, it uses the server name indication retrieved by the ExtendedSSLSession.getRequestedServerNames() method. The following example shows this function:

SSLSocketFactory factory = ...
SSLSocket sslSocket = factory.createSocket("172.16.10.6", 443);
// SSLEngine sslEngine = sslContext.createSSLEngine("172.16.10.6", 443);

SNIHostName serverName = new SNIHostName("www.example.com");
List<SNIServerName> serverNames = new ArrayList<>(1);
serverNames.add(serverName);
 
SSLParameters params = sslSocket.getSSLParameters();
params.setServerNames(serverNames);
sslSocket.setSSLParameters(params);
// sslEngine.setSSLParameters(params);

In the preceding example, the host name in the server name indication (www.example.com) is used to make endpoint identification against the peer's identity presented in the end-entity's X.509 certificate.