Package com.unboundid.util.ssl
Class TLSCipherSuiteSelector
- java.lang.Object
-
- com.unboundid.util.CommandLineTool
-
- com.unboundid.util.ssl.TLSCipherSuiteSelector
-
@NotMutable @ThreadSafety(level=COMPLETELY_THREADSAFE) public final class TLSCipherSuiteSelector extends CommandLineTool
This class provides a utility for selecting the cipher suites that should be supported for TLS communication. The logic used to select the recommended TLS cipher suites is as follows:- Only cipher suites that use the TLS protocol will be recommended. Legacy SSL suites will not be recommended, nor will any suites that use an unrecognized protocol.
- Any cipher suite that uses a NULL key exchange, authentication, bulk encryption, or digest algorithm will not be recommended.
- Any cipher suite that uses anonymous authentication will not be recommended.
- Any cipher suite that uses weakened export-grade encryption will not be recommended.
- Only cipher suites that use ECDHE, DHE, or RSA key exchange algorithms will be recommended. Other key agreement algorithms, including ECDH, DH, and KRB5, will not be recommended. Cipher suites that use a pre-shared key or password will not be recommended.
- Only cipher suites that use AES or ChaCha20 bulk encryption ciphers will be recommended. Other bulk cipher algorithms, including RC4, DES, 3DES, IDEA, Camellia, and ARIA, will not be recommended.
- Only cipher suites that use SHA-1 or SHA-2 digests will be recommended (although SHA-1 digests are de-prioritized). Other digest algorithms, like MD5, will not be recommended.
Also note that this class can be used as a command-line tool for debugging purposes.
-
-
Constructor Summary
Constructors Constructor Description TLSCipherSuiteSelector(java.io.OutputStream out, java.io.OutputStream err)
Creates a new instance of this TLS cipher suite selector that will use the provided output streams.
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description void
addToolArguments(ArgumentParser parser)
Adds the command-line arguments supported for use with this tool to the provided argument parser.ResultCode
doToolProcessing()
Performs the core set of processing for this tool.static java.util.SortedSet<java.lang.String>
getDefaultCipherSuites()
Retrieves the set of TLS cipher suites enabled by default in the JVM.static java.util.SortedMap<java.lang.String,java.util.List<java.lang.String>>
getNonRecommendedCipherSuites()
Retrieves a map containing the TLS cipher suites that are supported by the JVM but are not recommended for use.static java.lang.String[]
getRecommendedCipherSuiteArray()
Retrieves an array containing the recommended set of TLS cipher suites as selected by this class.static java.util.SortedSet<java.lang.String>
getRecommendedCipherSuites()
Retrieves the recommended set of TLS cipher suites as selected by this class.static java.util.SortedSet<java.lang.String>
getSupportedCipherSuites()
Retrieves the set of all TLS cipher suites supported by the JVM.java.lang.String
getToolDescription()
Retrieves a human-readable description for this tool.java.lang.String
getToolName()
Retrieves the name of this tool.java.lang.String
getToolVersion()
Retrieves a version string for this tool, if available.static ResultCode
main(java.io.OutputStream out, java.io.OutputStream err, java.lang.String... args)
Invokes this command-line program with the provided set of arguments.static void
main(java.lang.String... args)
Invokes this command-line program with the provided set of arguments.static java.util.Set<java.lang.String>
selectSupportedCipherSuites(java.util.Collection<java.lang.String> potentialSuiteNames)
Filters the provided collection of potential cipher suite names to retrieve a set of the suites that are supported by the JVM.-
Methods inherited from class com.unboundid.util.CommandLineTool
addEnableSSLDebuggingArgument, createArgumentParser, defaultsToInteractiveMode, doExtendedArgumentValidation, doShutdownHookProcessing, err, getAdditionalDescriptionParagraphs, getErr, getExampleUsages, getMaxTrailingArguments, getMinTrailingArguments, getOriginalErr, getOriginalOut, getOut, getPasswordFileReader, getToolCompletionMessage, getTrailingArgumentsPlaceholder, logToolInvocationByDefault, out, registerShutdownHook, requestToolArgumentsInteractively, runTool, supportsInteractiveMode, supportsOutputFile, supportsPropertiesFile, wrapErr, wrapOut
-
-
-
-
Constructor Detail
-
TLSCipherSuiteSelector
public TLSCipherSuiteSelector(java.io.OutputStream out, java.io.OutputStream err)
Creates a new instance of this TLS cipher suite selector that will use the provided output streams. Note that this constructor should only be used when invoking it as a command-line tool.- Parameters:
out
- The output stream to use for standard output. It may benull
if standard output should be suppressed.err
- The output stream to use for standard error. It may benull
if standard error should be suppressed.
-
-
Method Detail
-
main
public static void main(java.lang.String... args)
Invokes this command-line program with the provided set of arguments.- Parameters:
args
- The command-line arguments provided to this program.
-
main
public static ResultCode main(java.io.OutputStream out, java.io.OutputStream err, java.lang.String... args)
Invokes this command-line program with the provided set of arguments.- Parameters:
out
- The output stream to use for standard output. It may benull
if standard output should be suppressed.err
- The output stream to use for standard error. It may benull
if standard error should be suppressed.args
- The command-line arguments provided to this program.- Returns:
- A result code that indicates whether the processing was successful.
-
getSupportedCipherSuites
public static java.util.SortedSet<java.lang.String> getSupportedCipherSuites()
Retrieves the set of all TLS cipher suites supported by the JVM. The set will be sorted in order of most preferred to least preferred, as determined by theTLSCipherSuiteComparator
.- Returns:
- The set of all TLS cipher suites supported by the JVM.
-
getDefaultCipherSuites
public static java.util.SortedSet<java.lang.String> getDefaultCipherSuites()
Retrieves the set of TLS cipher suites enabled by default in the JVM. The set will be sorted in order of most preferred to least preferred, as determined by theTLSCipherSuiteComparator
.- Returns:
- The set of TLS cipher suites enabled by default in the JVM.
-
getRecommendedCipherSuites
public static java.util.SortedSet<java.lang.String> getRecommendedCipherSuites()
Retrieves the recommended set of TLS cipher suites as selected by this class. The set will be sorted in order of most preferred to least preferred, as determined by theTLSCipherSuiteComparator
.- Returns:
- The recommended set of TLS cipher suites as selected by this class.
-
getRecommendedCipherSuiteArray
public static java.lang.String[] getRecommendedCipherSuiteArray()
Retrieves an array containing the recommended set of TLS cipher suites as selected by this class. The array will be sorted in order of most preferred to least preferred, as determined by theTLSCipherSuiteComparator
.- Returns:
- An array containing the recommended set of TLS cipher suites as selected by this class.
-
getNonRecommendedCipherSuites
public static java.util.SortedMap<java.lang.String,java.util.List<java.lang.String>> getNonRecommendedCipherSuites()
Retrieves a map containing the TLS cipher suites that are supported by the JVM but are not recommended for use. The keys of the map will be the names of the non-recommended cipher suites, sorted in order of most preferred to least preferred, as determined by theTLSCipherSuiteComparator
. Each TLS cipher suite name will be mapped to a list of the reasons it is not recommended for use.- Returns:
- A map containing the TLS cipher suites that are supported by the JVM but are not recommended for use
-
getToolName
public java.lang.String getToolName()
Retrieves the name of this tool. It should be the name of the command used to invoke this tool.- Specified by:
getToolName
in classCommandLineTool
- Returns:
- The name for this tool.
-
getToolDescription
public java.lang.String getToolDescription()
Retrieves a human-readable description for this tool. If the description should include multiple paragraphs, then this method should return the text for the first paragraph, and theCommandLineTool.getAdditionalDescriptionParagraphs()
method should be used to return the text for the subsequent paragraphs.- Specified by:
getToolDescription
in classCommandLineTool
- Returns:
- A human-readable description for this tool.
-
getToolVersion
public java.lang.String getToolVersion()
Retrieves a version string for this tool, if available.- Overrides:
getToolVersion
in classCommandLineTool
- Returns:
- A version string for this tool, or
null
if none is available.
-
addToolArguments
public void addToolArguments(ArgumentParser parser) throws ArgumentException
Adds the command-line arguments supported for use with this tool to the provided argument parser. The tool may need to retain references to the arguments (and/or the argument parser, if trailing arguments are allowed) to it in order to obtain their values for use in later processing.- Specified by:
addToolArguments
in classCommandLineTool
- Parameters:
parser
- The argument parser to which the arguments are to be added.- Throws:
ArgumentException
- If a problem occurs while adding any of the tool-specific arguments to the provided argument parser.
-
doToolProcessing
public ResultCode doToolProcessing()
Performs the core set of processing for this tool.- Specified by:
doToolProcessing
in classCommandLineTool
- Returns:
- A result code that indicates whether the processing completed successfully.
-
selectSupportedCipherSuites
public static java.util.Set<java.lang.String> selectSupportedCipherSuites(java.util.Collection<java.lang.String> potentialSuiteNames)
Filters the provided collection of potential cipher suite names to retrieve a set of the suites that are supported by the JVM.- Parameters:
potentialSuiteNames
- The collection of cipher suite names to be filtered.- Returns:
- The set of provided cipher suites that are supported by the JVM, or an empty set if none of the potential provided suite names are supported by the JVM.
-
-