1/*
2 * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation.  Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26
27package javax.net.ssl;
28
29import java.io.*;
30import java.net.*;
31
32
33/**
34 * This class extends <code>ServerSocket</code>s and
35 * provides secure server sockets using protocols such as the Secure
36 * Sockets Layer (SSL) or Transport Layer Security (TLS) protocols.
37 * <P>
38 * Instances of this class are generally created using a
39 * <code>SSLServerSocketFactory</code>.  The primary function
40 * of <code>SSLServerSocket</code>s
41 * is to create <code>SSLSocket</code>s by <code>accept</code>ing
42 * connections.
43 * <P>
44 * <code>SSLServerSocket</code>s contain several pieces of state data
45 * which are inherited by the <code>SSLSocket</code> at
46 * socket creation.  These include the enabled cipher
47 * suites and protocols, whether client
48 * authentication is necessary, and whether created sockets should
49 * begin handshaking in client or server mode.  The state
50 * inherited by the created <code>SSLSocket</code> can be
51 * overriden by calling the appropriate methods.
52 *
53 * @see java.net.ServerSocket
54 * @see SSLSocket
55 *
56 * @since 1.4
57 * @author David Brownell
58 */
59public abstract class SSLServerSocket extends ServerSocket {
60
61    /**
62     * Used only by subclasses.
63     * <P>
64     * Create an unbound TCP server socket using the default authentication
65     * context.
66     *
67     * @throws IOException if an I/O error occurs when creating the socket
68     */
69    protected SSLServerSocket()
70    throws IOException
71        { super(); }
72
73
74    /**
75     * Used only by subclasses.
76     * <P>
77     * Create a TCP server socket on a port, using the default
78     * authentication context.  The connection backlog defaults to
79     * fifty connections queued up before the system starts to
80     * reject new connection requests.
81     * <P>
82     * A port number of <code>0</code> creates a socket on any free port.
83     * <P>
84     * If there is a security manager, its <code>checkListen</code>
85     * method is called with the <code>port</code> argument as its
86     * argument to ensure the operation is allowed. This could result
87     * in a SecurityException.
88     *
89     * @param port the port on which to listen
90     * @throws IOException if an I/O error occurs when creating the socket
91     * @throws SecurityException if a security manager exists and its
92     *         <code>checkListen</code> method doesn't allow the operation.
93     * @throws IllegalArgumentException if the port parameter is outside the
94     *         specified range of valid port values, which is between 0 and
95     *         65535, inclusive.
96     * @see    SecurityManager#checkListen
97     */
98    protected SSLServerSocket(int port)
99    throws IOException
100        { super(port); }
101
102
103    /**
104     * Used only by subclasses.
105     * <P>
106     * Create a TCP server socket on a port, using the default
107     * authentication context and a specified backlog of connections.
108     * <P>
109     * A port number of <code>0</code> creates a socket on any free port.
110     * <P>
111     * The <code>backlog</code> argument is the requested maximum number of
112     * pending connections on the socket. Its exact semantics are implementation
113     * specific. In particular, an implementation may impose a maximum length
114     * or may choose to ignore the parameter altogther. The value provided
115     * should be greater than <code>0</code>. If it is less than or equal to
116     * <code>0</code>, then an implementation specific default will be used.
117     * <P>
118     * If there is a security manager, its <code>checkListen</code>
119     * method is called with the <code>port</code> argument as its
120     * argument to ensure the operation is allowed. This could result
121     * in a SecurityException.
122     *
123     * @param port the port on which to listen
124     * @param backlog  requested maximum length of the queue of incoming
125     *                  connections.
126     * @throws IOException if an I/O error occurs when creating the socket
127     * @throws SecurityException if a security manager exists and its
128     *         <code>checkListen</code> method doesn't allow the operation.
129     * @throws IllegalArgumentException if the port parameter is outside the
130     *         specified range of valid port values, which is between 0 and
131     *         65535, inclusive.
132     * @see    SecurityManager#checkListen
133     */
134    protected SSLServerSocket(int port, int backlog)
135    throws IOException
136        { super(port, backlog); }
137
138
139    /**
140     * Used only by subclasses.
141     * <P>
142     * Create a TCP server socket on a port, using the default
143     * authentication context and a specified backlog of connections
144     * as well as a particular specified network interface.  This
145     * constructor is used on multihomed hosts, such as those used
146     * for firewalls or as routers, to control through which interface
147     * a network service is provided.
148     * <P>
149     * If there is a security manager, its <code>checkListen</code>
150     * method is called with the <code>port</code> argument as its
151     * argument to ensure the operation is allowed. This could result
152     * in a SecurityException.
153     * <P>
154     * A port number of <code>0</code> creates a socket on any free port.
155     * <P>
156     * The <code>backlog</code> argument is the requested maximum number of
157     * pending connections on the socket. Its exact semantics are implementation
158     * specific. In particular, an implementation may impose a maximum length
159     * or may choose to ignore the parameter altogther. The value provided
160     * should be greater than <code>0</code>. If it is less than or equal to
161     * <code>0</code>, then an implementation specific default will be used.
162     * <P>
163     * If <i>address</i> is null, it will default accepting connections
164     * on any/all local addresses.
165     *
166     * @param port the port on which to listen
167     * @param backlog  requested maximum length of the queue of incoming
168     *                  connections.
169     * @param address the address of the network interface through
170     *          which connections will be accepted
171     * @throws IOException if an I/O error occurs when creating the socket
172     * @throws SecurityException if a security manager exists and its
173     *         <code>checkListen</code> method doesn't allow the operation.
174     * @throws IllegalArgumentException if the port parameter is outside the
175     *         specified range of valid port values, which is between 0 and
176     *         65535, inclusive.
177     * @see    SecurityManager#checkListen
178     */
179    protected SSLServerSocket(int port, int backlog, InetAddress address)
180    throws IOException
181        { super(port, backlog, address); }
182
183
184
185    /**
186     * Returns the list of cipher suites which are currently enabled
187     * for use by newly accepted connections.
188     * <P>
189     * If this list has not been explicitly modified, a system-provided
190     * default guarantees a minimum quality of service in all enabled
191     * cipher suites.
192     * <P>
193     * There are several reasons why an enabled cipher suite might
194     * not actually be used.  For example:  the server socket might
195     * not have appropriate private keys available to it or the cipher
196     * suite might be anonymous, precluding the use of client authentication,
197     * while the server socket has been told to require that sort of
198     * authentication.
199     *
200     * @return an array of cipher suites enabled
201     * @see #getSupportedCipherSuites()
202     * @see #setEnabledCipherSuites(String [])
203     */
204    public abstract String [] getEnabledCipherSuites();
205
206
207    /**
208     * Sets the cipher suites enabled for use by accepted connections.
209     * <P>
210     * The cipher suites must have been listed by getSupportedCipherSuites()
211     * as being supported.  Following a successful call to this method,
212     * only suites listed in the <code>suites</code> parameter are enabled
213     * for use.
214     * <P>
215     * Suites that require authentication information which is not available
216     * in this ServerSocket's authentication context will not be used
217     * in any case, even if they are enabled.
218     * <P>
219     * <code>SSLSocket</code>s returned from <code>accept()</code>
220     * inherit this setting.
221     *
222     * @param suites Names of all the cipher suites to enable
223     * @exception IllegalArgumentException when one or more of ciphers
224     *          named by the parameter is not supported, or when
225     *          the parameter is null.
226     * @see #getSupportedCipherSuites()
227     * @see #getEnabledCipherSuites()
228     */
229    public abstract void setEnabledCipherSuites(String suites []);
230
231
232    /**
233     * Returns the names of the cipher suites which could be enabled for use
234     * on an SSL connection.
235     * <P>
236     * Normally, only a subset of these will actually
237     * be enabled by default, since this list may include cipher suites which
238     * do not meet quality of service requirements for those defaults.  Such
239     * cipher suites are useful in specialized applications.
240     *
241     * @return an array of cipher suite names
242     * @see #getEnabledCipherSuites()
243     * @see #setEnabledCipherSuites(String [])
244     */
245    public abstract String [] getSupportedCipherSuites();
246
247
248    /**
249     * Returns the names of the protocols which could be enabled for use.
250     *
251     * @return an array of protocol names supported
252     * @see #getEnabledProtocols()
253     * @see #setEnabledProtocols(String [])
254     */
255    public abstract String [] getSupportedProtocols();
256
257
258    /**
259     * Returns the names of the protocols which are currently
260     * enabled for use by the newly accepted connections.
261     *
262     * @return an array of protocol names
263     * @see #getSupportedProtocols()
264     * @see #setEnabledProtocols(String [])
265     */
266    public abstract String [] getEnabledProtocols();
267
268
269    // Android-added: Added paragraph about contiguous protocols.
270    /**
271     * Controls which particular protocols are enabled for use by
272     * accepted connections.
273     * <P>
274     * The protocols must have been listed by
275     * getSupportedProtocols() as being supported.
276     * Following a successful call to this method, only protocols listed
277     * in the <code>protocols</code> parameter are enabled for use.
278     * <p>
279     * Because of the way the protocol version is negotiated, connections
280     * will only be able to use a member of the lowest set of contiguous
281     * enabled protocol versions.  For example, enabling TLSv1.2 and TLSv1
282     * will result in connections only being able to use TLSv1.
283     * <P>
284     * <code>SSLSocket</code>s returned from <code>accept()</code>
285     * inherit this setting.
286     *
287     * @param protocols Names of all the protocols to enable.
288     * @exception IllegalArgumentException when one or more of
289     *            the protocols named by the parameter is not supported or
290     *            when the protocols parameter is null.
291     * @see #getEnabledProtocols()
292     * @see #getSupportedProtocols()
293     */
294    public abstract void setEnabledProtocols(String protocols[]);
295
296
297    /**
298     * Controls whether <code>accept</code>ed server-mode
299     * <code>SSLSockets</code> will be initially configured to
300     * <i>require</i> client authentication.
301     * <P>
302     * A socket's client authentication setting is one of the following:
303     * <ul>
304     * <li> client authentication required
305     * <li> client authentication requested
306     * <li> no client authentication desired
307     * </ul>
308     * <P>
309     * Unlike {@link #setWantClientAuth(boolean)}, if the accepted
310     * socket's option is set and the client chooses not to provide
311     * authentication information about itself, <i>the negotiations
312     * will stop and the connection will be dropped</i>.
313     * <P>
314     * Calling this method overrides any previous setting made by
315     * this method or {@link #setWantClientAuth(boolean)}.
316     * <P>
317     * The initial inherited setting may be overridden by calling
318     * {@link SSLSocket#setNeedClientAuth(boolean)} or
319     * {@link SSLSocket#setWantClientAuth(boolean)}.
320     *
321     * @param   need set to true if client authentication is required,
322     *          or false if no client authentication is desired.
323     * @see #getNeedClientAuth()
324     * @see #setWantClientAuth(boolean)
325     * @see #getWantClientAuth()
326     * @see #setUseClientMode(boolean)
327     */
328    public abstract void setNeedClientAuth(boolean need);
329
330
331    /**
332     * Returns true if client authentication will be <i>required</i> on
333     * newly <code>accept</code>ed server-mode <code>SSLSocket</code>s.
334     * <P>
335     * The initial inherited setting may be overridden by calling
336     * {@link SSLSocket#setNeedClientAuth(boolean)} or
337     * {@link SSLSocket#setWantClientAuth(boolean)}.
338     *
339     * @return  true if client authentication is required,
340     *          or false if no client authentication is desired.
341     * @see #setNeedClientAuth(boolean)
342     * @see #setWantClientAuth(boolean)
343     * @see #getWantClientAuth()
344     * @see #setUseClientMode(boolean)
345     */
346    public abstract boolean getNeedClientAuth();
347
348
349    /**
350     * Controls whether <code>accept</code>ed server-mode
351     * <code>SSLSockets</code> will be initially configured to
352     * <i>request</i> client authentication.
353     * <P>
354     * A socket's client authentication setting is one of the following:
355     * <ul>
356     * <li> client authentication required
357     * <li> client authentication requested
358     * <li> no client authentication desired
359     * </ul>
360     * <P>
361     * Unlike {@link #setNeedClientAuth(boolean)}, if the accepted
362     * socket's option is set and the client chooses not to provide
363     * authentication information about itself, <i>the negotiations
364     * will continue</i>.
365     * <P>
366     * Calling this method overrides any previous setting made by
367     * this method or {@link #setNeedClientAuth(boolean)}.
368     * <P>
369     * The initial inherited setting may be overridden by calling
370     * {@link SSLSocket#setNeedClientAuth(boolean)} or
371     * {@link SSLSocket#setWantClientAuth(boolean)}.
372     *
373     * @param   want set to true if client authentication is requested,
374     *          or false if no client authentication is desired.
375     * @see #getWantClientAuth()
376     * @see #setNeedClientAuth(boolean)
377     * @see #getNeedClientAuth()
378     * @see #setUseClientMode(boolean)
379     */
380    public abstract void setWantClientAuth(boolean want);
381
382
383    /**
384     * Returns true if client authentication will be <i>requested</i> on
385     * newly accepted server-mode connections.
386     * <P>
387     * The initial inherited setting may be overridden by calling
388     * {@link SSLSocket#setNeedClientAuth(boolean)} or
389     * {@link SSLSocket#setWantClientAuth(boolean)}.
390     *
391     * @return  true if client authentication is requested,
392     *          or false if no client authentication is desired.
393     * @see #setWantClientAuth(boolean)
394     * @see #setNeedClientAuth(boolean)
395     * @see #getNeedClientAuth()
396     * @see #setUseClientMode(boolean)
397     */
398    public abstract boolean getWantClientAuth();
399
400
401    /**
402     * Controls whether accepted connections are in the (default) SSL
403     * server mode, or the SSL client mode.
404     * <P>
405     * Servers normally authenticate themselves, and clients are not
406     * required to do so.
407     * <P>
408     * In rare cases, TCP servers
409     * need to act in the SSL client mode on newly accepted
410     * connections. For example, FTP clients acquire server sockets
411     * and listen there for reverse connections from the server. An
412     * FTP client would use an SSLServerSocket in "client" mode to
413     * accept the reverse connection while the FTP server uses an
414     * SSLSocket with "client" mode disabled to initiate the
415     * connection. During the resulting handshake, existing SSL
416     * sessions may be reused.
417     * <P>
418     * <code>SSLSocket</code>s returned from <code>accept()</code>
419     * inherit this setting.
420     *
421     * @param mode true if newly accepted connections should use SSL
422     *          client mode.
423     * @see #getUseClientMode()
424     */
425    public abstract void setUseClientMode(boolean mode);
426
427
428    /**
429     * Returns true if accepted connections will be in SSL client mode.
430     *
431     * @see #setUseClientMode(boolean)
432     * @return true if the connection should use SSL client mode.
433     */
434    public abstract boolean getUseClientMode();
435
436
437    /**
438     * Controls whether new SSL sessions may be established by the
439     * sockets which are created from this server socket.
440     * <P>
441     * <code>SSLSocket</code>s returned from <code>accept()</code>
442     * inherit this setting.
443     *
444     * @param flag true indicates that sessions may be created; this
445     *          is the default. false indicates that an existing session
446     *          must be resumed.
447     * @see #getEnableSessionCreation()
448     */
449    public abstract void setEnableSessionCreation(boolean flag);
450
451
452    /**
453     * Returns true if new SSL sessions may be established by the
454     * sockets which are created from this server socket.
455     *
456     * @return true indicates that sessions may be created; this
457     *          is the default.  false indicates that an existing
458     *          session must be resumed
459     * @see #setEnableSessionCreation(boolean)
460     */
461    public abstract boolean getEnableSessionCreation();
462
463    /**
464     * Returns the SSLParameters in effect for newly accepted connections.
465     * The ciphersuites and protocols of the returned SSLParameters
466     * are always non-null.
467     *
468     * @return the SSLParameters in effect for newly accepted connections
469     *
470     * @see #setSSLParameters(SSLParameters)
471     *
472     * @since 1.7
473     */
474    public SSLParameters getSSLParameters() {
475        SSLParameters parameters = new SSLParameters();
476
477        parameters.setCipherSuites(getEnabledCipherSuites());
478        parameters.setProtocols(getEnabledProtocols());
479        if (getNeedClientAuth()) {
480            parameters.setNeedClientAuth(true);
481        } else if (getWantClientAuth()) {
482            parameters.setWantClientAuth(true);
483        }
484
485        return parameters;
486    }
487
488    /**
489     * Applies SSLParameters to newly accepted connections.
490     *
491     * <p>This means:
492     * <ul>
493     * <li>If {@code params.getCipherSuites()} is non-null,
494     *   {@code setEnabledCipherSuites()} is called with that value.</li>
495     * <li>If {@code params.getProtocols()} is non-null,
496     *   {@code setEnabledProtocols()} is called with that value.</li>
497     * <li>If {@code params.getNeedClientAuth()} or
498     *   {@code params.getWantClientAuth()} return {@code true},
499     *   {@code setNeedClientAuth(true)} and
500     *   {@code setWantClientAuth(true)} are called, respectively;
501     *   otherwise {@code setWantClientAuth(false)} is called.</li>
502     * <li>If {@code params.getServerNames()} is non-null, the socket will
503     *   configure its server names with that value.</li>
504     * <li>If {@code params.getSNIMatchers()} is non-null, the socket will
505     *   configure its SNI matchers with that value.</li>
506     * </ul>
507     *
508     * @param params the parameters
509     * @throws IllegalArgumentException if the setEnabledCipherSuites() or
510     *    the setEnabledProtocols() call fails
511     *
512     * @see #getSSLParameters()
513     *
514     * @since 1.7
515     */
516    public void setSSLParameters(SSLParameters params) {
517        String[] s;
518        s = params.getCipherSuites();
519        if (s != null) {
520            setEnabledCipherSuites(s);
521        }
522
523        s = params.getProtocols();
524        if (s != null) {
525            setEnabledProtocols(s);
526        }
527
528        if (params.getNeedClientAuth()) {
529            setNeedClientAuth(true);
530        } else if (params.getWantClientAuth()) {
531            setWantClientAuth(true);
532        } else {
533            setWantClientAuth(false);
534        }
535    }
536
537    // Android-added: Make toString explicit that this is an SSLServerSocket (http://b/6602228)
538    @Override
539    public String toString() {
540        return "SSL" + super.toString();
541    }
542
543}
544