OpenJDK 1.23 · javax.naming.ldap.StartTlsResponse · APIdia, the JavaDoc alternative

This class implements the LDAPv3 Extended Response for StartTLS as defined in Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security The object identifier for StartTLS is 1.3.6.1.4.1.1466.20037 and no extended response value is defined.

The Start TLS extended request and response are used to establish a TLS connection over the existing LDAP connection associated with the JNDI context on which extendedOperation() is invoked. Typically, a JNDI program uses the StartTLS extended request and response classes as follows.

 import javax.naming.ldap.*;

 // Open an LDAP association
 LdapContext ctx = new InitialLdapContext();

 // Perform a StartTLS extended operation
 StartTlsResponse tls =
     (StartTlsResponse) ctx.extendedOperation(new StartTlsRequest());

 // Open a TLS connection (over the existing LDAP association) and get details
 // of the negotiated TLS session: cipher suite, peer certificate, ...
 SSLSession session = tls.negotiate();

 // ... use ctx to perform protected LDAP operations

 // Close the TLS connection (revert back to the underlying LDAP association)
 tls.close();

 // ... use ctx to perform unprotected LDAP operations

 // Close the LDAP association
 ctx.close;

Field Summary

Modifier and Type	Field and Description
public static final String	OID The StartTLS extended response's assigned object identifier is 1.3.6.1.4.1.1466.20037.
private static final long	serialVersionUID

Access	Constructor and Description
protected	StartTlsResponse() Constructs a StartTLS extended response.

Method Summary

Modifier and Type	Method and Description
public abstract void	close() Closes the TLS connection gracefully and reverts back to the underlying connection.
public byte[]	Returns: The null value. getEncodedValue() Implements javax.naming.ldap.ExtendedResponse.getEncodedValue. Retrieves the StartTLS response's ASN.1 BER encoded value.
public String	Returns: The object identifier string, "1.3.6.1.4.1.1466.20037". getID() Implements javax.naming.ldap.ExtendedResponse.getID. Retrieves the StartTLS response's object identifier string.
public abstract SSLSession	Returns: The negotiated SSL session negotiate() Negotiates a TLS session using the default SSL socket factory.
public abstract SSLSession	Returns: The negotiated SSL session negotiate(SSLSocketFactory The possibly null SSL socket factory to use. If null, the default SSL socket factory is used. factory) Negotiates a TLS session using an SSL socket factory.
public abstract void	setEnabledCipherSuites(String[] The non-null list of names of all the cipher suites to enable. suites) Overrides the default list of cipher suites enabled for use on the TLS connection.
public abstract void	setHostnameVerifier(HostnameVerifier The non-null hostname verifier callback. verifier) Sets the hostname verifier used by `negotiate()` after the TLS handshake has completed and the default hostname verification has failed.

Inherited from java.lang.Object:: clone equals finalize getClass hashCode notify notifyAll toString wait wait wait

Field Detail

OID	back to summary
public static final String OID The StartTLS extended response's assigned object identifier is 1.3.6.1.4.1.1466.20037.

serialVersionUID	back to summary
private static final long serialVersionUID

Constructor Detail

StartTlsResponse	back to summary
protected StartTlsResponse() Constructs a StartTLS extended response. A concrete subclass must have a public no-arg constructor.

Method Detail

close	back to summary
public abstract void close() throws IOException Closes the TLS connection gracefully and reverts back to the underlying connection. Exceptions IOException: If an IO error was encountered while closing the TLS connection

back to summary

public abstract void close() throws IOException

Closes the TLS connection gracefully and reverts back to the underlying connection.

Exceptions

IOException:: If an IO error was encountered while closing the TLS connection

getEncodedValue	back to summary
public byte[] getEncodedValue() Implements javax.naming.ldap.ExtendedResponse.getEncodedValue. Retrieves the StartTLS response's ASN.1 BER encoded value. Since the response has no defined value, null is always returned. Returns:byte[] The null value.

getEncodedValue

back to summary

public byte[] getEncodedValue()

Implements javax.naming.ldap.ExtendedResponse.getEncodedValue.

Retrieves the StartTLS response's ASN.1 BER encoded value. Since the response has no defined value, null is always returned.

Returns:byte[]: The null value.

getID	back to summary
public String getID() Implements javax.naming.ldap.ExtendedResponse.getID. Retrieves the StartTLS response's object identifier string. Returns:String The object identifier string, "1.3.6.1.4.1.1466.20037".

getID

back to summary

public String getID()

Implements javax.naming.ldap.ExtendedResponse.getID.

Retrieves the StartTLS response's object identifier string.

Returns:String: The object identifier string, "1.3.6.1.4.1.1466.20037".

negotiate back to summary

negotiate	back to summary
public abstract SSLSession negotiate() throws IOException Negotiates a TLS session using the default SSL socket factory. This method is equivalent to `negotiate(null)`. Returns:SSLSession The negotiated SSL session Exceptions IOException: If an IO error was encountered while establishing the TLS session. See Also `setEnabledCipherSuites`, `setHostnameVerifier`

public abstract SSLSession negotiate() throws IOException

Negotiates a TLS session using the default SSL socket factory.

This method is equivalent to negotiate(null).

Returns:SSLSession

The negotiated SSL session

Exceptions

IOException:: If an IO error was encountered while establishing the TLS session.

negotiate back to summary

negotiate	back to summary
public abstract SSLSession negotiate(SSLSocketFactory factory) throws IOException Negotiates a TLS session using an SSL socket factory. Creates an SSL socket using the supplied SSL socket factory and attaches it to the existing connection. Performs the TLS handshake and returns the negotiated session information. If cipher suites have been set via `setEnabledCipherSuites` then they are enabled before the TLS handshake begins. Hostname verification is performed after the TLS handshake completes. The default hostname verification performs a match of the server's hostname against the hostname information found in the server's certificate. If this verification fails and no callback has been set via `setHostnameVerifier` then the negotiation fails. If this verification fails and a callback has been set via `setHostnameVerifier`, then the callback is used to determine whether the negotiation succeeds. If an error occurs then the SSL socket is closed and an IOException is thrown. The underlying connection remains intact. Parameters factory:SSLSocketFactory The possibly null SSL socket factory to use. If null, the default SSL socket factory is used. Returns:SSLSession The negotiated SSL session Exceptions IOException: If an IO error was encountered while establishing the TLS session. See Also `setEnabledCipherSuites`, `setHostnameVerifier`

public abstract SSLSession negotiate(SSLSocketFactory factory) throws IOException

Negotiates a TLS session using an SSL socket factory.

Creates an SSL socket using the supplied SSL socket factory and attaches it to the existing connection. Performs the TLS handshake and returns the negotiated session information.

If cipher suites have been set via setEnabledCipherSuites then they are enabled before the TLS handshake begins.

Hostname verification is performed after the TLS handshake completes. The default hostname verification performs a match of the server's hostname against the hostname information found in the server's certificate. If this verification fails and no callback has been set via setHostnameVerifier then the negotiation fails. If this verification fails and a callback has been set via setHostnameVerifier, then the callback is used to determine whether the negotiation succeeds.

If an error occurs then the SSL socket is closed and an IOException is thrown. The underlying connection remains intact.

Parameters

factory:SSLSocketFactory: The possibly null SSL socket factory to use. If null, the default SSL socket factory is used.

Returns:SSLSession

The negotiated SSL session

Exceptions

IOException:: If an IO error was encountered while establishing the TLS session.

setEnabledCipherSuites back to summary

setEnabledCipherSuites	back to summary
public abstract void setEnabledCipherSuites(String[] suites) Overrides the default list of cipher suites enabled for use on the TLS connection. The cipher suites must have already been listed by `SSLSocketFactory.getSupportedCipherSuites()` as being supported. Even if a suite has been enabled, it still might not be used because the peer does not support it, or because the requisite certificates (and private keys) are not available. Parameters suites:String[] The non-null list of names of all the cipher suites to enable. See Also `negotiate`

public abstract void setEnabledCipherSuites(String[] suites)

Overrides the default list of cipher suites enabled for use on the TLS connection. The cipher suites must have already been listed by SSLSocketFactory.getSupportedCipherSuites() as being supported. Even if a suite has been enabled, it still might not be used because the peer does not support it, or because the requisite certificates (and private keys) are not available.

Parameters

suites:String[]: The non-null list of names of all the cipher suites to enable.

See Also

negotiate

setHostnameVerifier back to summary

setHostnameVerifier	back to summary
public abstract void setHostnameVerifier(HostnameVerifier verifier) Sets the hostname verifier used by `negotiate()` after the TLS handshake has completed and the default hostname verification has failed. `setHostnameVerifier()` must be called before `negotiate()` is invoked for it to have effect. If called after `negotiate()`, this method does not do anything. Parameters verifier:HostnameVerifier The non-null hostname verifier callback. See Also `negotiate`

public abstract void setHostnameVerifier(HostnameVerifier verifier)

Sets the hostname verifier used by negotiate() after the TLS handshake has completed and the default hostname verification has failed. setHostnameVerifier() must be called before negotiate() is invoked for it to have effect. If called after negotiate(), this method does not do anything.

Parameters

verifier:HostnameVerifier: The non-null hostname verifier callback.

See Also

negotiate

public abstract Class StartTlsResponse

Field Summary

Constructor Summary

Method Summary

Field Detail

Constructor Detail

Method Detail