javax.naming.ldap: abstract public class: StartTlsResponse

javax.naming.ldap
abstract public class: StartTlsResponse [javadoc | source]

java.lang.Object
   javax.naming.ldap.StartTlsResponse

All Implemented Interfaces:
ExtendedResponse

This class implements the LDAPv3 Extended Response for StartTLS as defined in Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security The object identifier for StartTLS is 1.3.6.1.4.1.1466.20037 and no extended response value is defined.

The Start TLS extended request and response are used to establish a TLS connection over the existing LDAP connection associated with the JNDI context on which extendedOperation() is invoked. Typically, a JNDI program uses the StartTLS extended request and response classes as follows.

import javax.naming.ldap.*;

// Open an LDAP association
LdapContext ctx = new InitialLdapContext();

// Perform a StartTLS extended operation
StartTlsResponse tls =
    (StartTlsResponse) ctx.extendedOperation(new StartTlsRequest());

// Open a TLS connection (over the existing LDAP association) and get details
// of the negotiated TLS session: cipher suite, peer certificate, ...
SSLSession session = tls.negotiate();

// ... use ctx to perform protected LDAP operations

// Close the TLS connection (revert back to the underlying LDAP association)
tls.close();

// ... use ctx to perform unprotected LDAP operations

// Close the LDAP association
ctx.close;

Also see:

StartTlsRequest

since: 1.4 -

author: Vincent - Ryan

Field Summary
public static final String	OID	The StartTLS extended response's assigned object identifier is 1.3.6.1.4.1.1466.20037.

Constructor:
protected StartTlsResponse() { } Constructs a StartTLS extended response. A concrete subclass must have a public no-arg constructor.

Constructor:

 protected StartTlsResponse() {

}

Constructs a StartTLS extended response. A concrete subclass must have a public no-arg constructor.

Method from javax.naming.ldap.StartTlsResponse Summary:
close, getEncodedValue, getID, negotiate, negotiate, setEnabledCipherSuites, setHostnameVerifier

Methods from java.lang.Object:
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method from javax.naming.ldap.StartTlsResponse Detail:
abstract public void close() throws IOException Closes the TLS connection gracefully and reverts back to the underlying connection.
public byte[] getEncodedValue() { return null; } Retrieves the StartTLS response's ASN.1 BER encoded value. Since the response has no defined value, null is always returned.
public String getID() { return OID; } Retrieves the StartTLS response's object identifier string.
abstract public SSLSession negotiate() throws IOException Negotiates a TLS session using the default SSL socket factory. This method is equivalent to `negotiate(null)`.
abstract public SSLSession negotiate(SSLSocketFactory factory) throws IOException Negotiates a TLS session using an SSL socket factory. Creates an SSL socket using the supplied SSL socket factory and attaches it to the existing connection. Performs the TLS handshake and returns the negotiated session information. If cipher suites have been set via `setEnabledCipherSuites` then they are enabled before the TLS handshake begins. Hostname verification is performed after the TLS handshake completes. The default hostname verification performs a match of the server's hostname against the hostname information found in the server's certificate. If this verification fails and no callback has been set via `setHostnameVerifier` then the negotiation fails. If this verification fails and a callback has been set via `setHostnameVerifier`, then the callback is used to determine whether the negotiation succeeds. If an error occurs then the SSL socket is closed and an IOException is thrown. The underlying connection remains intact.
abstract public void setEnabledCipherSuites(String[] suites) Overrides the default list of cipher suites enabled for use on the TLS connection. The cipher suites must have already been listed by `SSLSocketFactory.getSupportedCipherSuites()` as being supported. Even if a suite has been enabled, it still might not be used because the peer does not support it, or because the requisite certificates (and private keys) are not available.
abstract public void setHostnameVerifier(HostnameVerifier verifier) Sets the hostname verifier used by `negotiate()` after the TLS handshake has completed and the default hostname verification has failed. `setHostnameVerifier()` must be called before `negotiate()` is invoked for it to have effect. If called after `negotiate()`, this method does not do anything.