Once
you’ve successfully created and initialized an
SSLServerSocket
, there are a lot of applications
you can write using nothing more than the methods inherited from
java.net.ServerSocket
. However, there are times
when you need to adjust its behavior a little. Like
SSLSocket
, SSLServerSocket
provides methods to choose the cipher suites it uses, to manage
sessions, and to establish whether clients are required to
authenticate themselves. Most of these methods are very similar to
the methods of the same name in SSLSocket
. The
difference is that they work on the server side and set the defaults
for sockets accepted by an SSLServerSocket
. In
some cases, once an SSLSocket
has been accepted,
you can still use the methods of SSLSocket
to
configure that one socket rather than all sockets accepted by this
SSLServerSocket
.
The SSLServerSocket
class has the same three methods for determining which cipher suites
are supported and enabled as SSLSocket
does:
public abstract String[] getSupportedCipherSuites( ) public abstract String[] getEnabledCipherSuites( ) public abstract void setEnabledCipherSuites(String[] suites)
These use the same suite names as the similarly named methods in
SSLSocket
. The difference is that these apply to
all sockets accepted by the SSLServerSocket
rather
than to just one SSLSocket
. For example, this code
fragment has the effect of enabling anonymous, unauthenticated
connections on the SSLServerSocket
server
. It relies on the names of these suites
containing the string “_anon_”. This is true for
Sun’s reference implementations, though there’s no
guarantee that other implementers will follow this convention:
String[] supported = server.getSupportedCipherSuites( ); String[] anonCipherSuitesSupported = new String[supported.length]; int numAnonCipherSuitesSupported = 0; for (int i = 0; i < supported.length; i++) { if (supported[i].indexOf("_anon_") > 0) { anonCipherSuitesSupported[numAnonCipherSuitesSupported++] = supported[i]; } } String[] oldEnabled = server.getEnabledCipherSuites( ); String[] newEnabled = new String[oldEnabled.length + numAnonCipherSuitesSupported]; System.arraycopy(oldEnabled, 0, newEnabled, 0, oldEnabled.length); System.arraycopy(anonCipherSuitesSupported, 0, newEnabled, oldEnabled.length, numAnonCipherSuitesSupported); server.setEnabledCipherSuites(newEnabled);
This fragment retrieves the list of both supported and enabled cipher
suites using getSupportedCipherSuites( )
and
getEnabledCipherSuites( )
. It looks at the name of
every supported suite to see whether it contains the substring
“_anon_”. If it does, it’s added to a list of
anonymous cipher suites. Once the list of anonymous cipher suites is
built, it’s combined in a new array with the previous list of
enabled cipher suites. This new array is then passed to
set-EnabledCipherSuites( )
so that both the
previously enabled and the anonymous cipher suites can now be used.
Both client and server must agree to establish a session for
multisocket secure sessions to be allowed. The server side uses the
setEnableSessionCreation( )
method to specify
whether this will be allowed and the
getEnable-SessionCreation( )
method to determine
whether this is currently allowed:
public abstract void setEnableSessionCreation(boolean allowSessions) public abstract boolean getEnableSessionCreation( )
Session creation is enabled by default. If the server disallows session creation, then a client that wants a session will still be able to connect. It just won’t get a session and will have to handshake again for every socket. Similarly, if the client refuses sessions, but the server allows them, then they’ll still be able to talk to each other but without sessions.
The SSLServerSocket
class has two methods for
determining and specifying whether client sockets are required to
authenticate themselves to the server. By passing true to the
setNeedClientAuth( )
method, you specify that only
connections where the client is able to authenticate itself will be
accepted. By passing false, you specify that authentication is not
required of clients. The default is false. If for some reason you
need to know what the current state of this property is, the
getNeedClientAuth( )
method will tell you:
public abstract void setNeedClientAuth(boolean flag) public abstract boolean getNeedClientAuth( )
The setUseClientMode( )
method allows a program to
indicate that even though it has created an
SSLServerSocket
, it is and should be treated as a
client in the communication with respect to authentication and other
negotiations. For example, in an FTP session, the client program
opens a server socket to receive data from the server, but that
doesn’t make it less of a client. The
getUseClientMode( )
method returns true if the
SSLServerSocket
is in client mode, false
otherwise:
public abstract void setUseClientMode(boolean flag) public abstract boolean getUseClientMode( )
18.116.40.177