COM.claymoresystems.sslg
Class SSLPolicyInt
public
class
SSLPolicyInt
extends Object
SSLPolicyInt.java
Copyright (C) 1999, Claymore Systems, Inc.
All Rights Reserved.
ekr@rtfm.com Wed May 5 08:47:37 1999
This package is a SSLv3/TLS implementation written by Eric Rescorla
and licensed by Claymore Systems, Inc.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software
must display the following acknowledgement:
This product includes software developed by Claymore Systems, Inc.
4. Neither the name of Claymore Systems, Inc. nor the name of Eric
Rescorla may be used to endorse or promote products derived from this
software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
$Id: SSLPolicyInt.java,v 1.10 2002/08/20 01:04:50 ekr Exp $
public static final short TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
public static final short TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
public static final short TLS_DHE_DSS_WITH_DES_CBC_SHA
public static final short TLS_DHE_DSS_WITH_NULL_SHA
public static final short TLS_DHE_DSS_WITH_RC4_128_SHA
public static final short TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
public static final short TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
public static final short TLS_DHE_RSA_WITH_DES_CBC_SHA
public static final short TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
public static final short TLS_DH_anon_EXPORT_WITH_RC4_40_MD5
public static final short TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
public static final short TLS_DH_anon_WITH_DES_CBC_SHA
public static final short TLS_DH_anon_WITH_RC4_128_MD5
public static final short TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA
public static final short TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
public static final short TLS_DH_DSS_WITH_DES_CBC_SHA
public static final short TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA
public static final short TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
public static final short TLS_DH_RSA_WITH_DES_CBC_SHA
public static final short TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
public static final short TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
public static final short TLS_RSA_EXPORT_WITH_RC4_40_MD5
public static final short TLS_RSA_WITH_3DES_EDE_CBC_SHA
public static final short TLS_RSA_WITH_DES_CBC_SHA
public static final short TLS_RSA_WITH_IDEA_CBC_SHA
public static final short TLS_RSA_WITH_NULL_MD5
public static final short TLS_RSA_WITH_NULL_SHA
public static final short TLS_RSA_WITH_RC4_128_MD5
public static final short TLS_RSA_WITH_RC4_128_SHA
public void acceptUnverifiableCertificates(boolean accept)
allow unverifiable certificates. If we encounter a certificate
which cannot be verified by a known root, we ordinarily reject,
but this accepts that behavior to be overridden. The value of
getCertificateChain() will be null.
Setting this value to true completely compromises security against
active attack. This should only be used for testing purposes.
Parameters: accept a boolean indicating whether unverifiable certificates should be accepted
public boolean acceptUnverifiableCertificatesP()
return whether unverifiable certificates are accepted
Returns: a boolean indicating whether unverifiable certs will be accepted
public boolean dhAlwaysEphemeralP()
public static String getCipherSuiteName(int num)
get the name of a cipher from the number
Returns: the name
public static int getCipherSuiteNumber(String name)
get the number of a cipher from the name
Returns: the number (or -1)
public short[] getCipherSuites()
Return the allowed cipherSuites
Returns: a short[] containing all the cipherSuites currently allowed
public int getSessionLifetime()
return the lifetime of a session
Returns: the lifetime setting, in seconds
public void handshakeOnConnect(boolean value)
public boolean handshakeOnConnectP()
public void negotiateTLS(boolean tls)
Set whether to try to negotiate TLS. IF this value is false,
SSLv3 will be negotiated. The default is true/yes.
Parameters: tls a boolean indicating whether to try to negotiate TLS
public boolean negotiateTLSP()
return whether TLS is to be negotiated
Returns: a boolean indicating whether TLS negotiation is attempted.
public void requireClientAuth(boolean val)
Set whether or not to require client authentication when
negotiating (this is relevant only for servers)
Parameters: val a boolean specifying whether client auth is required. The default is no
public boolean requireClientAuthP()
Get whether client auth is required. This is relevant only
for servers
Returns: val a boolean indicating whether client auth is required
public void setCipherSuites(short[] cS)
Specify which cipherSuites may be negotiated.
Currently there is no check made as to whether these cipherSuites
are in fact negotiatable given the current keying material. This
is a bug.
Currently supported cipher suites:
TLS_DHE_DSS_EXPORT_WITH_DES40_RSA
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_RSA_WITH_DES_CBC_SHA,
TLS_RSA_WITH_RC4_128_MD5,
TLS_RSA_WITH_RC4_128_SHA,
TLS_RSA_EXPORT_WITH_RC4_40_MD5,
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
Parameters: cS the list of allowed cipherSuites as an array of shorts. The values are specified as constants in this class
public void setDHAlwaysEphemeral(boolean dhephemeral)
Force the creation of a new ephemeral DH key for each connection
Only set this to false if you are using a Sophie-Germain or other prime designed
to resist small subgroup attacks.
Parameters: dhephemeral a boolean indicating whether to force a new DH key for each connection--default to true
public void setSessonLifetime(int lifetime)
Set the lifetime of a cached session. Any attempt to resume a
session after it has expired will fail. This has no effect on
sessions that are currently active, however.
Parameters: lifetime lifetime of a cached session in seconds. Default is 86400 (1 day)
public void waitOnClose(boolean v)
public boolean waitOnCloseP()
Copyright (c) 1999-2001 Claymore Systems, Inc., All Rights Reserved.