SSLParameters
support the following properties (as per Spring notation): cipherSuites
, protocols
, wantClientAuth
, needClientAuth
, algorithmConstraints
, endpointIdentificationAlgorithm
, serverNames
, SNIMatchers
, useCipherSuitesOrder
.
However, in the SSL{Socket, ServerSocket, Engine}.setSSLParameters
it is apparent that only cipherSuites
, protocols
, wantClientAuth
, needClientAuth
are used. What's the rest of SSLParameters
are for?
Are they just for custom heavyweight implementations such as HTTPS clients, and as such not used at all by JVM? Is the support for these features located elsewhere, if so, where? Is useCipherSuitesOrder
supported by JVM, where? Is it actually a desired feature?
Another question is that SSLParameters
has protocols
, but they are applied to e.g. SSLSocket
already created using SSLContext
, which already has a single protocol chosen. In which contexts does this make sense? Can you pre-apply SSLParameters
to SSLContext
? Can you have widest possible SSLContext
and then constrain it using SSLParameters
? E.g. does it make sense to have SSLContext of protocol "TLS"
and then use SSLParameters of protocols {"TLSv1.1", "TLSv1.2"}
to only have a subset of TLS cipher suites? Is "TLS" a superset of all "TLSv1.x"?
Years later I can answer my own question: Apparently, when you call ctx.createSSLEngine()
an instance of vendor-specific SSLEngine
will be returned, such as sun.security.ssl.SSLEngineImpl
, which will make more thorough use of passed SSLParameters
by passing them to sun.security.ssl.SSLConfiguration#setSSLParameters
.