Package org.conscrypt

Class Conscrypt

  • public final class Conscrypt
extends java.lang.Object
    Core API for creating and configuring all Conscrypt types.

    • Constructor Summary

      Constructors 
      Modifier Constructor Description
      private Conscrypt()  

    • Method Summary

      All Methods Static Methods Concrete Methods Deprecated Methods 
      Modifier and Type Method Description
      static void checkAvailability()
      Checks that the Conscrypt support is available for the system.
      static byte[] exportKeyingMaterial​(javax.net.ssl.SSLEngine engine, java.lang.String label, byte[] context, int length)
      Exports a value derived from the TLS master secret as described in RFC 5705.
      static byte[] exportKeyingMaterial​(javax.net.ssl.SSLSocket socket, java.lang.String label, byte[] context, int length)
      Exports a value derived from the TLS master secret as described in RFC 5705.
      static java.lang.String getApplicationProtocol​(javax.net.ssl.SSLEngine engine)
      Returns the ALPN protocol agreed upon by client and server.
      static java.lang.String getApplicationProtocol​(javax.net.ssl.SSLSocket socket)
      Returns the ALPN protocol agreed upon by client and server.
      static java.lang.String[] getApplicationProtocols​(javax.net.ssl.SSLEngine engine)
      Gets the application-layer protocols (ALPN) in prioritization order.
      static java.lang.String[] getApplicationProtocols​(javax.net.ssl.SSLSocket socket)
      Gets the application-layer protocols (ALPN) in prioritization order.
      static byte[] getChannelId​(javax.net.ssl.SSLEngine engine)
      Gets the TLS Channel ID for the given server-side engine.
      static byte[] getChannelId​(javax.net.ssl.SSLSocket socket)
      Gets the TLS Channel ID for the given server-side socket.
      static ConscryptHostnameVerifier getDefaultHostnameVerifier​(javax.net.ssl.TrustManager trustManager)
      Returns the currently-set default hostname verifier for Conscrypt trust managers.
      static javax.net.ssl.X509TrustManager getDefaultX509TrustManager()
      Gets the default X.509 trust manager.
      static java.lang.String getHostname​(javax.net.ssl.SSLEngine engine)
      Returns either the hostname supplied during socket creation or via setHostname(SSLEngine, String).
      static java.lang.String getHostname​(javax.net.ssl.SSLSocket socket)
      Returns either the hostname supplied during socket creation or via setHostname(SSLSocket, String).
      static java.lang.String getHostnameOrIP​(javax.net.ssl.SSLSocket socket)
      This method attempts to create a textual representation of the peer host or IP.
      static ConscryptHostnameVerifier getHostnameVerifier​(javax.net.ssl.TrustManager trustManager)
      Returns the currently-set hostname verifier for the given trust manager.
      static byte[] getTlsUnique​(javax.net.ssl.SSLEngine engine)
      Returns the tls-unique channel binding value for this connection, per RFC 5929.
      static byte[] getTlsUnique​(javax.net.ssl.SSLSocket socket)
      Returns the tls-unique channel binding value for this connection, per RFC 5929.
      static boolean isAvailable()
      Returns true if the Conscrypt native library has been successfully loaded.
      static boolean isConscrypt​(java.security.Provider provider)
      Indicates whether the given Provider was created by this distribution of Conscrypt.
      static boolean isConscrypt​(javax.net.ssl.SSLContext context)
      Indicates whether the given SSLContext was created by this distribution of Conscrypt.
      static boolean isConscrypt​(javax.net.ssl.SSLEngine engine)
      Indicates whether the given SSLEngine was created by this distribution of Conscrypt.
      static boolean isConscrypt​(javax.net.ssl.SSLServerSocketFactory factory)
      Indicates whether the given SSLServerSocketFactory was created by this distribution of Conscrypt.
      static boolean isConscrypt​(javax.net.ssl.SSLSocket socket)
      Indicates whether the given SSLSocket was created by this distribution of Conscrypt.
      static boolean isConscrypt​(javax.net.ssl.SSLSocketFactory factory)
      Indicates whether the given SSLSocketFactory was created by this distribution of Conscrypt.
      static boolean isConscrypt​(javax.net.ssl.TrustManager trustManager)
      Indicates whether the given TrustManager was created by this distribution of Conscrypt.
      static int maxEncryptedPacketLength()
      Returns the maximum length (in bytes) of an encrypted packet.
      static int maxSealOverhead​(javax.net.ssl.SSLEngine engine)
      Returns the maximum overhead, in bytes, of sealing a record with SSL.
      static javax.net.ssl.SSLContextSpi newPreferredSSLContextSpi()
      Constructs a new instance of the preferred SSLContextSpi.
      static java.security.Provider newProvider()
      Constructs a new Provider with the default name.
      static java.security.Provider newProvider​(java.lang.String providerName)
      Deprecated.
      Use newProviderBuilder() instead.
      static Conscrypt.ProviderBuilder newProviderBuilder()  
      static void setApplicationProtocols​(javax.net.ssl.SSLEngine engine, java.lang.String[] protocols)
      Sets the application-layer protocols (ALPN) in prioritization order.
      static void setApplicationProtocols​(javax.net.ssl.SSLSocket socket, java.lang.String[] protocols)
      Sets the application-layer protocols (ALPN) in prioritization order.
      static void setApplicationProtocolSelector​(javax.net.ssl.SSLEngine engine, ApplicationProtocolSelector selector)
      Sets an application-provided ALPN protocol selector.
      static void setApplicationProtocolSelector​(javax.net.ssl.SSLSocket socket, ApplicationProtocolSelector selector)
      Sets an application-provided ALPN protocol selector.
      static void setBufferAllocator​(javax.net.ssl.SSLEngine engine, BufferAllocator bufferAllocator)
      Provides the given engine with the provided bufferAllocator.
      static void setBufferAllocator​(javax.net.ssl.SSLSocket socket, BufferAllocator bufferAllocator)
      Provides the given socket with the provided bufferAllocator.
      static void setChannelIdEnabled​(javax.net.ssl.SSLEngine engine, boolean enabled)
      Enables/disables TLS Channel ID for the given server-side engine.
      static void setChannelIdEnabled​(javax.net.ssl.SSLSocket socket, boolean enabled)
      Enables/disables TLS Channel ID for the given server-side socket.
      static void setChannelIdPrivateKey​(javax.net.ssl.SSLEngine engine, java.security.PrivateKey privateKey)
      Sets the PrivateKey to be used for TLS Channel ID by this client engine.
      static void setChannelIdPrivateKey​(javax.net.ssl.SSLSocket socket, java.security.PrivateKey privateKey)
      Sets the PrivateKey to be used for TLS Channel ID by this client socket.
      static void setClientSessionCache​(javax.net.ssl.SSLContext context, SSLClientSessionCache cache)
      Sets the client-side persistent cache to be used by the context.
      static void setDefaultBufferAllocator​(BufferAllocator bufferAllocator)
      Configures the default BufferAllocator to be used by all future SSLEngine instances from this provider.
      static void setDefaultHostnameVerifier​(ConscryptHostnameVerifier verifier)
      Set the default hostname verifier that will be used for HTTPS endpoint identification by Conscrypt trust managers.
      static void setHandshakeListener​(javax.net.ssl.SSLEngine engine, HandshakeListener handshakeListener)
      Sets a listener on the given engine for completion of the TLS handshake
      static void setHostname​(javax.net.ssl.SSLEngine engine, java.lang.String hostname)
      This method enables Server Name Indication (SNI) and overrides the hostname supplied during engine creation.
      static void setHostname​(javax.net.ssl.SSLSocket socket, java.lang.String hostname)
      This method enables Server Name Indication (SNI) and overrides the hostname supplied during socket creation.
      static void setHostnameVerifier​(javax.net.ssl.TrustManager trustManager, ConscryptHostnameVerifier verifier)
      Set the hostname verifier that will be used for HTTPS endpoint identification by the given trust manager.
      static void setServerSessionCache​(javax.net.ssl.SSLContext context, SSLServerSessionCache cache)
      Sets the server-side persistent cache to be used by the context.
      static void setUseEngineSocket​(javax.net.ssl.SSLServerSocketFactory factory, boolean useEngineSocket)
      Configures the socket to be created for the given server socket factory instance.
      static void setUseEngineSocket​(javax.net.ssl.SSLSocketFactory factory, boolean useEngineSocket)
      Configures the socket to be created for the given socket factory instance.
      static void setUseEngineSocketByDefault​(boolean useEngineSocket)
      Configures the default socket to be created for all socket factory instances.
      static void setUseSessionTickets​(javax.net.ssl.SSLEngine engine, boolean useSessionTickets)
      This method enables session ticket support.
      static void setUseSessionTickets​(javax.net.ssl.SSLSocket socket, boolean useSessionTickets)
      This method enables session ticket support.
      private static AbstractConscryptEngine toConscrypt​(javax.net.ssl.SSLEngine engine)  
      private static OpenSSLServerSocketFactoryImpl toConscrypt​(javax.net.ssl.SSLServerSocketFactory factory)  
      private static AbstractConscryptSocket toConscrypt​(javax.net.ssl.SSLSocket socket)  
      private static OpenSSLSocketFactoryImpl toConscrypt​(javax.net.ssl.SSLSocketFactory factory)  
      private static TrustManagerImpl toConscrypt​(javax.net.ssl.TrustManager trustManager)  
      static javax.net.ssl.SSLEngineResult unwrap​(javax.net.ssl.SSLEngine engine, java.nio.ByteBuffer[] srcs, int srcsOffset, int srcsLength, java.nio.ByteBuffer[] dsts, int dstsOffset, int dstsLength)
      Exteneded unwrap method for multiple source and destination buffers.
      static javax.net.ssl.SSLEngineResult unwrap​(javax.net.ssl.SSLEngine engine, java.nio.ByteBuffer[] srcs, java.nio.ByteBuffer[] dsts)
      Extended unwrap method for multiple source and destination buffers.
      static Conscrypt.Version version()
      Returns the version of this distribution of Conscrypt.
      static ConscryptHostnameVerifier wrapHostnameVerifier​(javax.net.ssl.HostnameVerifier verifier)
      Wraps the HttpsURLConnection.HostnameVerifier into a ConscryptHostnameVerifier

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Constructor Detail

      • Conscrypt

        private Conscrypt()

    • Method Detail

      • isAvailable

        public static boolean isAvailable()
        Returns true if the Conscrypt native library has been successfully loaded.

      • version

        public static Conscrypt.Version version()
        Returns the version of this distribution of Conscrypt. If version information is unavailable, returns null.

      • checkAvailability

        public static void checkAvailability()
        Checks that the Conscrypt support is available for the system.
        Throws:
        java.lang.UnsatisfiedLinkError - if unavailable

      • isConscrypt

        public static boolean isConscrypt​(java.security.Provider provider)
        Indicates whether the given Provider was created by this distribution of Conscrypt.

      • newProvider

        public static java.security.Provider newProvider()
        Constructs a new Provider with the default name.

      • newProvider

        @Deprecated
public static java.security.Provider newProvider​(java.lang.String providerName)
        Deprecated.
        Use newProviderBuilder() instead.
        Constructs a new Provider with the given name.

      • maxEncryptedPacketLength

        public static int maxEncryptedPacketLength()
        Returns the maximum length (in bytes) of an encrypted packet.

      • getDefaultX509TrustManager

        @ExperimentalApi
public static javax.net.ssl.X509TrustManager getDefaultX509TrustManager()
                                                                 throws java.security.KeyManagementException
        Gets the default X.509 trust manager.
        Throws:
        java.security.KeyManagementException

      • isConscrypt

        public static boolean isConscrypt​(javax.net.ssl.SSLContext context)
        Indicates whether the given SSLContext was created by this distribution of Conscrypt.

      • newPreferredSSLContextSpi

        public static javax.net.ssl.SSLContextSpi newPreferredSSLContextSpi()
        Constructs a new instance of the preferred SSLContextSpi.

      • setClientSessionCache

        public static void setClientSessionCache​(javax.net.ssl.SSLContext context,
                                         SSLClientSessionCache cache)
        Sets the client-side persistent cache to be used by the context.

      • setServerSessionCache

        public static void setServerSessionCache​(javax.net.ssl.SSLContext context,
                                         SSLServerSessionCache cache)
        Sets the server-side persistent cache to be used by the context.

      • isConscrypt

        public static boolean isConscrypt​(javax.net.ssl.SSLSocketFactory factory)
        Indicates whether the given SSLSocketFactory was created by this distribution of Conscrypt.

      • setUseEngineSocketByDefault

        @ExperimentalApi
public static void setUseEngineSocketByDefault​(boolean useEngineSocket)
        Configures the default socket to be created for all socket factory instances.

      • setUseEngineSocket

        @ExperimentalApi
public static void setUseEngineSocket​(javax.net.ssl.SSLSocketFactory factory,
                                      boolean useEngineSocket)
        Configures the socket to be created for the given socket factory instance.

      • isConscrypt

        public static boolean isConscrypt​(javax.net.ssl.SSLServerSocketFactory factory)
        Indicates whether the given SSLServerSocketFactory was created by this distribution of Conscrypt.

      • setUseEngineSocket

        @ExperimentalApi
public static void setUseEngineSocket​(javax.net.ssl.SSLServerSocketFactory factory,
                                      boolean useEngineSocket)
        Configures the socket to be created for the given server socket factory instance.

      • isConscrypt

        public static boolean isConscrypt​(javax.net.ssl.SSLSocket socket)
        Indicates whether the given SSLSocket was created by this distribution of Conscrypt.

      • setHostname

        public static void setHostname​(javax.net.ssl.SSLSocket socket,
                               java.lang.String hostname)
        This method enables Server Name Indication (SNI) and overrides the hostname supplied during socket creation. If the hostname is not a valid SNI hostname, the SNI extension will be omitted from the handshake.
        Parameters:
        socket - the socket
        hostname - the desired SNI hostname, or null to disable

      • getHostname

        public static java.lang.String getHostname​(javax.net.ssl.SSLSocket socket)
        Returns either the hostname supplied during socket creation or via setHostname(SSLSocket, String). No DNS resolution is attempted before returning the hostname.

      • getHostnameOrIP

        public static java.lang.String getHostnameOrIP​(javax.net.ssl.SSLSocket socket)
        This method attempts to create a textual representation of the peer host or IP. Does not perform a reverse DNS lookup. This is typically used during session creation.

      • setUseSessionTickets

        public static void setUseSessionTickets​(javax.net.ssl.SSLSocket socket,
                                        boolean useSessionTickets)
        This method enables session ticket support.
        Parameters:
        socket - the socket
        useSessionTickets - True to enable session tickets

      • setChannelIdEnabled

        public static void setChannelIdEnabled​(javax.net.ssl.SSLSocket socket,
                                       boolean enabled)
        Enables/disables TLS Channel ID for the given server-side socket.

        This method needs to be invoked before the handshake starts.

        Parameters:
        socket - the socket
        enabled - Whether to enable channel ID.
        Throws:
        java.lang.IllegalStateException - if this is a client socket or if the handshake has already started.

      • getChannelId

        public static byte[] getChannelId​(javax.net.ssl.SSLSocket socket)
                           throws javax.net.ssl.SSLException
        Gets the TLS Channel ID for the given server-side socket. Channel ID is only available once the handshake completes.
        Parameters:
        socket - the socket
        Returns:
        channel ID or null if not available.
        Throws:
        java.lang.IllegalStateException - if this is a client socket or if the handshake has not yet completed.
        javax.net.ssl.SSLException - if channel ID is available but could not be obtained.

      • setChannelIdPrivateKey

        public static void setChannelIdPrivateKey​(javax.net.ssl.SSLSocket socket,
                                          java.security.PrivateKey privateKey)
        Sets the PrivateKey to be used for TLS Channel ID by this client socket.

        This method needs to be invoked before the handshake starts.

        Parameters:
        socket - the socket
        privateKey - private key (enables TLS Channel ID) or null for no key (disables TLS Channel ID). The private key must be an Elliptic Curve (EC) key based on the NIST P-256 curve (aka SECG secp256r1 or ANSI X9.62 prime256v1).
        Throws:
        java.lang.IllegalStateException - if this is a server socket or if the handshake has already started.

      • getApplicationProtocol

        public static java.lang.String getApplicationProtocol​(javax.net.ssl.SSLSocket socket)
        Returns the ALPN protocol agreed upon by client and server.
        Parameters:
        socket - the socket
        Returns:
        the selected protocol or null if no protocol was agreed upon.

      • setApplicationProtocolSelector

        public static void setApplicationProtocolSelector​(javax.net.ssl.SSLSocket socket,
                                                  ApplicationProtocolSelector selector)
        Sets an application-provided ALPN protocol selector. If provided, this will override the list of protocols set by setApplicationProtocols(SSLSocket, String[]).
        Parameters:
        socket - the socket
        selector - the ALPN protocol selector

      • setApplicationProtocols

        public static void setApplicationProtocols​(javax.net.ssl.SSLSocket socket,
                                           java.lang.String[] protocols)
        Sets the application-layer protocols (ALPN) in prioritization order.
        Parameters:
        socket - the socket being configured
        protocols - the protocols in descending order of preference. If empty, no protocol indications will be used. This array will be copied.
        Throws:
        java.lang.IllegalArgumentException - - if protocols is null, or if any element in a non-empty array is null or an empty (zero-length) string

      • getApplicationProtocols

        public static java.lang.String[] getApplicationProtocols​(javax.net.ssl.SSLSocket socket)
        Gets the application-layer protocols (ALPN) in prioritization order.
        Parameters:
        socket - the socket
        Returns:
        the protocols in descending order of preference, or an empty array if protocol indications are not being used. Always returns a new array.

      • getTlsUnique

        public static byte[] getTlsUnique​(javax.net.ssl.SSLSocket socket)
        Returns the tls-unique channel binding value for this connection, per RFC 5929. This will return null if there is no such value available, such as if the handshake has not yet completed or this connection is closed.

      • exportKeyingMaterial

        public static byte[] exportKeyingMaterial​(javax.net.ssl.SSLSocket socket,
                                          java.lang.String label,
                                          byte[] context,
                                          int length)
                                   throws javax.net.ssl.SSLException
        Exports a value derived from the TLS master secret as described in RFC 5705.
        Parameters:
        label - the label to use in calculating the exported value. This must be an ASCII-only string.
        context - the application-specific context value to use in calculating the exported value. This may be null to use no application context, which is treated differently than an empty byte array.
        length - the number of bytes of keying material to return.
        Returns:
        a value of the specified length, or null if the handshake has not yet completed or the connection has been closed.
        Throws:
        javax.net.ssl.SSLException - if the value could not be exported.

      • isConscrypt

        public static boolean isConscrypt​(javax.net.ssl.SSLEngine engine)
        Indicates whether the given SSLEngine was created by this distribution of Conscrypt.

      • setBufferAllocator

        @ExperimentalApi
public static void setBufferAllocator​(javax.net.ssl.SSLEngine engine,
                                      BufferAllocator bufferAllocator)
        Provides the given engine with the provided bufferAllocator.
        Throws:
        java.lang.IllegalArgumentException - if the provided engine is not a Conscrypt engine.
        java.lang.IllegalStateException - if the provided engine has already begun its handshake.

      • setBufferAllocator

        @ExperimentalApi
public static void setBufferAllocator​(javax.net.ssl.SSLSocket socket,
                                      BufferAllocator bufferAllocator)
        Provides the given socket with the provided bufferAllocator. If the given socket is a Conscrypt socket but does not use buffer allocators, this method does nothing.
        Throws:
        java.lang.IllegalArgumentException - if the provided socket is not a Conscrypt socket.
        java.lang.IllegalStateException - if the provided socket has already begun its handshake.

      • setDefaultBufferAllocator

        @ExperimentalApi
public static void setDefaultBufferAllocator​(BufferAllocator bufferAllocator)
        Configures the default BufferAllocator to be used by all future SSLEngine instances from this provider.

      • setHostname

        public static void setHostname​(javax.net.ssl.SSLEngine engine,
                               java.lang.String hostname)
        This method enables Server Name Indication (SNI) and overrides the hostname supplied during engine creation.
        Parameters:
        engine - the engine
        hostname - the desired SNI hostname, or null to disable

      • getHostname

        public static java.lang.String getHostname​(javax.net.ssl.SSLEngine engine)
        Returns either the hostname supplied during socket creation or via setHostname(SSLEngine, String). No DNS resolution is attempted before returning the hostname.

      • maxSealOverhead

        public static int maxSealOverhead​(javax.net.ssl.SSLEngine engine)
        Returns the maximum overhead, in bytes, of sealing a record with SSL.

      • setHandshakeListener

        public static void setHandshakeListener​(javax.net.ssl.SSLEngine engine,
                                        HandshakeListener handshakeListener)
        Sets a listener on the given engine for completion of the TLS handshake

      • setChannelIdEnabled

        public static void setChannelIdEnabled​(javax.net.ssl.SSLEngine engine,
                                       boolean enabled)
        Enables/disables TLS Channel ID for the given server-side engine.

        This method needs to be invoked before the handshake starts.

        Parameters:
        engine - the engine
        enabled - Whether to enable channel ID.
        Throws:
        java.lang.IllegalStateException - if this is a client engine or if the handshake has already started.

      • getChannelId

        public static byte[] getChannelId​(javax.net.ssl.SSLEngine engine)
                           throws javax.net.ssl.SSLException
        Gets the TLS Channel ID for the given server-side engine. Channel ID is only available once the handshake completes.
        Parameters:
        engine - the engine
        Returns:
        channel ID or null if not available.
        Throws:
        java.lang.IllegalStateException - if this is a client engine or if the handshake has not yet completed.
        javax.net.ssl.SSLException - if channel ID is available but could not be obtained.

      • setChannelIdPrivateKey

        public static void setChannelIdPrivateKey​(javax.net.ssl.SSLEngine engine,
                                          java.security.PrivateKey privateKey)
        Sets the PrivateKey to be used for TLS Channel ID by this client engine.

        This method needs to be invoked before the handshake starts.

        Parameters:
        engine - the engine
        privateKey - private key (enables TLS Channel ID) or null for no key (disables TLS Channel ID). The private key must be an Elliptic Curve (EC) key based on the NIST P-256 curve (aka SECG secp256r1 or ANSI X9.62 prime256v1).
        Throws:
        java.lang.IllegalStateException - if this is a server engine or if the handshake has already started.

      • unwrap

        public static javax.net.ssl.SSLEngineResult unwrap​(javax.net.ssl.SSLEngine engine,
                                                   java.nio.ByteBuffer[] srcs,
                                                   java.nio.ByteBuffer[] dsts)
                                            throws javax.net.ssl.SSLException
        Extended unwrap method for multiple source and destination buffers.
        Parameters:
        engine - the target engine for the unwrap
        srcs - the source buffers
        dsts - the destination buffers
        Returns:
        the result of the unwrap operation
        Throws:
        javax.net.ssl.SSLException - thrown if an SSL error occurred

      • unwrap

        public static javax.net.ssl.SSLEngineResult unwrap​(javax.net.ssl.SSLEngine engine,
                                                   java.nio.ByteBuffer[] srcs,
                                                   int srcsOffset,
                                                   int srcsLength,
                                                   java.nio.ByteBuffer[] dsts,
                                                   int dstsOffset,
                                                   int dstsLength)
                                            throws javax.net.ssl.SSLException
        Exteneded unwrap method for multiple source and destination buffers.
        Parameters:
        engine - the target engine for the unwrap.
        srcs - the source buffers
        srcsOffset - the offset in the srcs array of the first source buffer
        srcsLength - the number of source buffers starting at srcsOffset
        dsts - the destination buffers
        dstsOffset - the offset in the dsts array of the first destination buffer
        dstsLength - the number of destination buffers starting at dstsOffset
        Returns:
        the result of the unwrap operation
        Throws:
        javax.net.ssl.SSLException - thrown if an SSL error occurred

      • setUseSessionTickets

        public static void setUseSessionTickets​(javax.net.ssl.SSLEngine engine,
                                        boolean useSessionTickets)
        This method enables session ticket support.
        Parameters:
        engine - the engine
        useSessionTickets - True to enable session tickets

      • setApplicationProtocols

        public static void setApplicationProtocols​(javax.net.ssl.SSLEngine engine,
                                           java.lang.String[] protocols)
        Sets the application-layer protocols (ALPN) in prioritization order.
        Parameters:
        engine - the engine being configured
        protocols - the protocols in descending order of preference. If empty, no protocol indications will be used. This array will be copied.
        Throws:
        java.lang.IllegalArgumentException - - if protocols is null, or if any element in a non-empty array is null or an empty (zero-length) string

      • getApplicationProtocols

        public static java.lang.String[] getApplicationProtocols​(javax.net.ssl.SSLEngine engine)
        Gets the application-layer protocols (ALPN) in prioritization order.
        Parameters:
        engine - the engine
        Returns:
        the protocols in descending order of preference, or an empty array if protocol indications are not being used. Always returns a new array.

      • setApplicationProtocolSelector

        public static void setApplicationProtocolSelector​(javax.net.ssl.SSLEngine engine,
                                                  ApplicationProtocolSelector selector)
        Sets an application-provided ALPN protocol selector. If provided, this will override the list of protocols set by setApplicationProtocols(SSLEngine, String[]).
        Parameters:
        engine - the engine
        selector - the ALPN protocol selector

      • getApplicationProtocol

        public static java.lang.String getApplicationProtocol​(javax.net.ssl.SSLEngine engine)
        Returns the ALPN protocol agreed upon by client and server.
        Parameters:
        engine - the engine
        Returns:
        the selected protocol or null if no protocol was agreed upon.

      • getTlsUnique

        public static byte[] getTlsUnique​(javax.net.ssl.SSLEngine engine)
        Returns the tls-unique channel binding value for this connection, per RFC 5929. This will return null if there is no such value available, such as if the handshake has not yet completed or this connection is closed.

      • exportKeyingMaterial

        public static byte[] exportKeyingMaterial​(javax.net.ssl.SSLEngine engine,
                                          java.lang.String label,
                                          byte[] context,
                                          int length)
                                   throws javax.net.ssl.SSLException
        Exports a value derived from the TLS master secret as described in RFC 5705.
        Parameters:
        label - the label to use in calculating the exported value. This must be an ASCII-only string.
        context - the application-specific context value to use in calculating the exported value. This may be null to use no application context, which is treated differently than an empty byte array.
        length - the number of bytes of keying material to return.
        Returns:
        a value of the specified length, or null if the handshake has not yet completed or the connection has been closed.
        Throws:
        javax.net.ssl.SSLException - if the value could not be exported.

      • isConscrypt

        public static boolean isConscrypt​(javax.net.ssl.TrustManager trustManager)
        Indicates whether the given TrustManager was created by this distribution of Conscrypt.

      • toConscrypt

        private static TrustManagerImpl toConscrypt​(javax.net.ssl.TrustManager trustManager)

      • setDefaultHostnameVerifier

        public static void setDefaultHostnameVerifier​(ConscryptHostnameVerifier verifier)
        Set the default hostname verifier that will be used for HTTPS endpoint identification by Conscrypt trust managers. If null (the default), endpoint identification will use the default hostname verifier set in HttpsURLConnection.setDefaultHostnameVerifier(javax.net.ssl.HostnameVerifier).

      • setHostnameVerifier

        public static void setHostnameVerifier​(javax.net.ssl.TrustManager trustManager,
                                       ConscryptHostnameVerifier verifier)
        Set the hostname verifier that will be used for HTTPS endpoint identification by the given trust manager. If null (the default), endpoint identification will use the default hostname verifier set in setDefaultHostnameVerifier(ConscryptHostnameVerifier).
        Throws:
        java.lang.IllegalArgumentException - if the provided trust manager is not a Conscrypt trust manager per isConscrypt(TrustManager)

      • wrapHostnameVerifier

        public static ConscryptHostnameVerifier wrapHostnameVerifier​(javax.net.ssl.HostnameVerifier verifier)
        Wraps the HttpsURLConnection.HostnameVerifier into a ConscryptHostnameVerifier