Added in API level 1

SSLSocket

abstract class SSLSocket : Socket

This class extends Sockets and provides secure socket using protocols such as the "Secure Sockets Layer" (SSL) or IETF "Transport Layer Security" (TLS) protocols.

Such sockets are normal stream sockets, but they add a layer of security protections over the underlying network transport protocol, such as TCP. Those protections include:

  • Integrity Protection. SSL protects against modification of messages by an active wiretapper.
  • Authentication. In most modes, SSL provides peer authentication. Servers are usually authenticated, and clients may be authenticated as requested by servers.
  • Confidentiality (Privacy Protection). In most modes, SSL encrypts data being sent between client and server. This protects the confidentiality of data, so that passive wiretappers won't see sensitive data such as financial information or personal information of many kinds.

These kinds of protection are specified by a "cipher suite", which is a combination of cryptographic algorithms used by a given SSL connection. During the negotiation process, the two endpoints must agree on a ciphersuite that is available in both environments. If there is no such suite in common, no SSL connection can be established, and no data can be exchanged.

The cipher suite used is established by a negotiation process called "handshaking". The goal of this process is to create or rejoin a "session", which may protect many connections over time. After handshaking has completed, you can access session attributes by using the getSession method. The initial handshake on this connection can be initiated in one of three ways:

  • calling startHandshake which explicitly begins handshakes, or
  • any attempt to read or write application data on this socket causes an implicit handshake, or
  • a call to getSession tries to set up a session if there is no currently valid session, and an implicit handshake is done.

If handshaking fails for any reason, the SSLSocket is closed, and no further communications can be done.

There are two groups of cipher suites which you will need to know about when managing cipher suites:

  • Supported cipher suites: all the suites which are supported by the SSL implementation. This list is reported using getSupportedCipherSuites.
  • Enabled cipher suites, which may be fewer than the full set of supported suites. This group is set using the setEnabledCipherSuites method, and queried using the getEnabledCipherSuites method. Initially, a default set of cipher suites will be enabled on a new socket that represents the minimum suggested configuration.

Implementation defaults require that only cipher suites which authenticate servers and provide confidentiality be enabled by default. Only if both sides explicitly agree to unauthenticated and/or non-private (unencrypted) communications will such a ciphersuite be selected.

When SSLSockets are first created, no handshaking is done so that applications may first set their communication preferences: what cipher suites to use, whether the socket should be in client or server mode, etc. However, security is always provided by the time that application data is sent over the connection.

You may register to receive event notification of handshake completion. This involves the use of two additional classes. HandshakeCompletedEvent objects are passed to HandshakeCompletedListener instances, which are registered by users of this API. SSLSockets are created by SSLSocketFactorys, or by accepting a connection from a SSLServerSocket.

A SSL socket must choose to operate in the client or server mode. This will determine who begins the handshaking process, as well as which messages should be sent by each party. Each connection must have one client and one server, or handshaking will not progress properly. Once the initial handshaking has started, a socket can not switch between client and server modes, even when performing renegotiations.

Default configuration for different Android versions

SSLSocket instances obtained from default SSLSocketFactory, SSLServerSocketFactory, and SSLContext are configured as follows:

Protocols

Client socket:

Protocol Supported (API Levels) Enabled by default (API Levels)
SSLv3 1–25 1–22
TLSv1 1+ 1+
TLSv1.1 16+ 20+
TLSv1.2 16+ 20+
TLSv1.3 29+ 29+

Server socket:

Protocol Supported (API Levels) Enabled by default (API Levels)
SSLv3 1–25 1–22
TLSv1 1+ 1+
TLSv1.1 16+ 16+
TLSv1.2 16+ 16+
TLSv1.3 29+ 29+

Cipher suites

Methods that operate with cipher suite names (for example, getSupportedCipherSuites, setEnabledCipherSuites) have used standard names for cipher suites since API Level 9, as listed in the table below. Prior to API Level 9, non-standard (OpenSSL) names had been used (see the table following this table).

Cipher suite Supported (API Levels) Enabled by default (API Levels)
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA 9-22 9-19
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA 9-22 9-19
SSL_DHE_DSS_WITH_DES_CBC_SHA 9-22 9-19
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA 9-22 9-19
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA 9-22 9-19
SSL_DHE_RSA_WITH_DES_CBC_SHA 9-22 9-19
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA 9-22
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 9-22
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA 9-22
SSL_DH_anon_WITH_DES_CBC_SHA 9-22
SSL_DH_anon_WITH_RC4_128_MD5 9-22
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA 9-22 9-19
SSL_RSA_EXPORT_WITH_RC4_40_MD5 9-22 9-19
SSL_RSA_WITH_3DES_EDE_CBC_SHA 9+ 9-19
SSL_RSA_WITH_DES_CBC_SHA 9-22 9-19
SSL_RSA_WITH_NULL_MD5 9-22
SSL_RSA_WITH_NULL_SHA 9-22
SSL_RSA_WITH_RC4_128_MD5 9-25 9-19
SSL_RSA_WITH_RC4_128_SHA 9-25 9-23
TLS_AES_128_GCM_SHA256 29+ 29+
TLS_AES_256_GCM_SHA384 29+ 29+
TLS_CHACHA20_POLY1305_SHA256 29+ 29+
TLS_DHE_DSS_WITH_AES_128_CBC_SHA 9-22 9-22
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 20-22
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 20-22
TLS_DHE_DSS_WITH_AES_256_CBC_SHA 9-22 11-22
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 20-22
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 20-22
TLS_DHE_RSA_WITH_AES_128_CBC_SHA 9-25 9-25
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 20-25
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 20-25 20-25
TLS_DHE_RSA_WITH_AES_256_CBC_SHA 9-25 11-25
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 20-25
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 20-25 20-25
TLS_DH_anon_WITH_AES_128_CBC_SHA 9-22
TLS_DH_anon_WITH_AES_128_CBC_SHA256 20-22
TLS_DH_anon_WITH_AES_128_GCM_SHA256 20-22
TLS_DH_anon_WITH_AES_256_CBC_SHA 9-22
TLS_DH_anon_WITH_AES_256_CBC_SHA256 20-22
TLS_DH_anon_WITH_AES_256_GCM_SHA384 20-22
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 11-22 11-19
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 11+ 11+
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 20-28
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 20+ 20+
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 11+ 11+
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 20-28
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 20+ 20+
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 24+ 24+
TLS_ECDHE_ECDSA_WITH_NULL_SHA 11-22
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 11-25 11-23
TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA 21+ 21+
TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA 21+ 21+
TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 24+ 24+
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 11-22 11-19
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 11+ 11+
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 20-28
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 20+ 20+
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 11+ 11+
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 20-28
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 20+ 20+
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 24+ 24+
TLS_ECDHE_RSA_WITH_NULL_SHA 11-22
TLS_ECDHE_RSA_WITH_RC4_128_SHA 11-25 11-23
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA 11-22 11-19
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 11-22 11-19
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 20-22
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 20-22
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 11-22 11-19
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 20-22
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 20-22
TLS_ECDH_ECDSA_WITH_NULL_SHA 11-22
TLS_ECDH_ECDSA_WITH_RC4_128_SHA 11-22 11-19
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA 11-22 11-19
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 11-22 11-19
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 20-22
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 20-22
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 11-22 11-19
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 20-22
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 20-22
TLS_ECDH_RSA_WITH_NULL_SHA 11-22
TLS_ECDH_RSA_WITH_RC4_128_SHA 11-22 11-19
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA 11-22
TLS_ECDH_anon_WITH_AES_128_CBC_SHA 11-22
TLS_ECDH_anon_WITH_AES_256_CBC_SHA 11-22
TLS_ECDH_anon_WITH_NULL_SHA 11-22
TLS_ECDH_anon_WITH_RC4_128_SHA 11-22
TLS_EMPTY_RENEGOTIATION_INFO_SCSV 11+ 11+
TLS_FALLBACK_SCSV 21+
TLS_PSK_WITH_3DES_EDE_CBC_SHA 21-22
TLS_PSK_WITH_AES_128_CBC_SHA 21+ 21+
TLS_PSK_WITH_AES_256_CBC_SHA 21+ 21+
TLS_PSK_WITH_RC4_128_SHA 21-25
TLS_RSA_WITH_AES_128_CBC_SHA 9+ 9+
TLS_RSA_WITH_AES_128_CBC_SHA256 20-28
TLS_RSA_WITH_AES_128_GCM_SHA256 20+ 20+
TLS_RSA_WITH_AES_256_CBC_SHA 9+ 11+
TLS_RSA_WITH_AES_256_CBC_SHA256 20-28
TLS_RSA_WITH_AES_256_GCM_SHA384 20+ 20+
TLS_RSA_WITH_NULL_SHA256 20-22

NOTE: PSK cipher suites are enabled by default only if the SSLContext through which the socket was created has been initialized with a PSKKeyManager.

API Levels 1 to 8 use OpenSSL names for cipher suites. The table below lists these OpenSSL names and their corresponding standard names used in API Levels 9 and newer.

OpenSSL cipher suite Standard cipher suite Supported (API Levels) Enabled by default (API Levels)
AES128-SHA TLS_RSA_WITH_AES_128_CBC_SHA 1+ 1+
AES256-SHA TLS_RSA_WITH_AES_256_CBC_SHA 1+ 1–8, 11+
DES-CBC-MD5 SSL_CK_DES_64_CBC_WITH_MD5 1–8 1–8
DES-CBC-SHA SSL_RSA_WITH_DES_CBC_SHA 1–22 1–19
DES-CBC3-MD5 SSL_CK_DES_192_EDE3_CBC_WITH_MD5 1–8 1–8
DES-CBC3-SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA 1+ 1–19
DHE-DSS-AES128-SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA 1–22 1–22
DHE-DSS-AES256-SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA 1–22 1–8, 11–22
DHE-RSA-AES128-SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA 1+ 1+
DHE-RSA-AES256-SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA 1+ 1–8, 11+
EDH-DSS-DES-CBC-SHA SSL_DHE_DSS_WITH_DES_CBC_SHA 1–22 1–19
EDH-DSS-DES-CBC3-SHA SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA 1–22 1–19
EDH-RSA-DES-CBC-SHA SSL_DHE_RSA_WITH_DES_CBC_SHA 1–22 1–19
EDH-RSA-DES-CBC3-SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA 1–22 1–19
EXP-DES-CBC-SHA SSL_RSA_EXPORT_WITH_DES40_CBC_SHA 1–22 1–19
EXP-EDH-DSS-DES-CBC-SHA SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA 1–22 1–19
EXP-EDH-RSA-DES-CBC-SHA SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA 1–22 1–19
EXP-RC2-CBC-MD5 SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 1–8 1–8
EXP-RC4-MD5 SSL_RSA_EXPORT_WITH_RC4_40_MD5 1–22 1–19
RC2-CBC-MD5 SSL_CK_RC2_128_CBC_WITH_MD5 1–8 1–8
RC4-MD5 SSL_RSA_WITH_RC4_128_MD5 1–25 1–19
RC4-SHA SSL_RSA_WITH_RC4_128_SHA 1–25 1–23

Summary

Protected constructors

Used only by subclasses.

SSLSocket(host: String!, port: Int)

Used only by subclasses.

SSLSocket(host: String!, port: Int, clientAddress: InetAddress!, clientPort: Int)

Used only by subclasses.

SSLSocket(address: InetAddress!, port: Int)

Used only by subclasses.

SSLSocket(address: InetAddress!, port: Int, clientAddress: InetAddress!, clientPort: Int)

Used only by subclasses.

Public methods
abstract Unit

Registers an event listener to receive notifications that an SSL handshake has completed on this connection.

open String!

Returns the most recent application protocol value negotiated for this connection.

abstract Boolean

Returns true if new SSL sessions may be established by this socket.

abstract Array<String!>!

Returns the names of the SSL cipher suites which are currently enabled for use on this connection.

abstract Array<String!>!

Returns the names of the protocol versions which are currently enabled for use on this connection.

open String!

Returns the application protocol value negotiated on a SSL/TLS handshake currently in progress.

open BiFunction<SSLSocket!, MutableList<String!>!, String!>!

Retrieves the callback function that selects an application protocol value during a SSL/TLS handshake.

open SSLSession!

Returns the SSLSession being constructed during a SSL/TLS handshake.

abstract Boolean

Returns true if the socket will require client authentication.

open SSLParameters!

Returns the SSLParameters in effect for this SSLSocket.

abstract SSLSession!

Returns the SSL Session in use by this connection.

abstract Array<String!>!

Returns the names of the cipher suites which could be enabled for use on this connection.

abstract Array<String!>!

Returns the names of the protocols which could be enabled for use on an SSL connection.

abstract Boolean

Returns true if the socket is set to use client mode when handshaking.

abstract Boolean

Returns true if the socket will request client authentication.

abstract Unit

Removes a previously registered handshake completion listener.

abstract Unit

Controls whether new SSL sessions may be established by this socket.

abstract Unit

Sets the cipher suites enabled for use on this connection.

abstract Unit

Sets the protocol versions enabled for use on this connection.

open Unit

Registers a callback function that selects an application protocol value for a SSL/TLS handshake.

abstract Unit

Configures the socket to require client authentication.

open Unit

Applies SSLParameters to this socket.

abstract Unit

Configures the socket to use client (or server) mode when handshaking.

abstract Unit

Configures the socket to request client authentication.

abstract Unit

Starts an SSL handshake on this connection.

open String

Inherited functions
Unit bind(bindpoint: SocketAddress!)

Binds the socket to a local address.

If the address is null, then the system will pick up an ephemeral port and a valid local address to bind the socket.

Unit close()

Closes this socket.

Any thread currently blocked in an I/O operation upon this socket will throw a SocketException.

Once a socket has been closed, it is not available for further networking use (i.e. can't be reconnected or rebound). A new socket needs to be created.

Closing this socket will also close the socket's InputStream and OutputStream.

If this socket has an associated channel then the channel is closed as well.

Unit connect(endpoint: SocketAddress!)

Connects this socket to the server.

Unit connect(endpoint: SocketAddress!, timeout: Int)

Connects this socket to the server with a specified timeout value. A timeout of zero is interpreted as an infinite timeout. The connection will then block until established or an error occurs.

SocketChannel! getChannel()

Returns the unique SocketChannel object associated with this socket, if any.

A socket will have a channel if, and only if, the channel itself was created via the java.nio.channels.SocketChannel#open or ServerSocketChannel.accept methods.

InetAddress! getInetAddress()

Returns the address to which the socket is connected.

If the socket was connected prior to being #close, then this method will continue to return the connected address after the socket is closed.

InputStream! getInputStream()

Returns an input stream for this socket.

If this socket has an associated channel then the resulting input stream delegates all of its operations to the channel. If the channel is in non-blocking mode then the input stream's read operations will throw an java.nio.channels.IllegalBlockingModeException.

Under abnormal conditions the underlying connection may be broken by the remote host or the network software (for example a connection reset in the case of TCP connections). When a broken connection is detected by the network software the following applies to the returned input stream :-

  • The network software may discard bytes that are buffered by the socket. Bytes that aren't discarded by the network software can be read using java.io.InputStream#read.
  • If there are no bytes buffered on the socket, or all buffered bytes have been consumed by java.io.InputStream#read, then all subsequent calls to java.io.InputStream#read will throw an IOException.
  • If there are no bytes buffered on the socket, and the socket has not been closed using #close, then available will return 0.

Closing the returned InputStream will close the associated socket.

Boolean getKeepAlive()

Tests if SO_KEEPALIVE is enabled.

InetAddress! getLocalAddress()

Gets the local address to which the socket is bound.

If there is a security manager set, its checkConnect method is called with the local address and -1 as its arguments to see if the operation is allowed. If the operation is not allowed, the loopback address is returned.

Int getLocalPort()

Returns the local port number to which this socket is bound.

If the socket was bound prior to being #close, then this method will continue to return the local port number after the socket is closed.

SocketAddress! getLocalSocketAddress()

Returns the address of the endpoint this socket is bound to.

If a socket bound to an endpoint represented by an InetSocketAddress is #close, then this method will continue to return an InetSocketAddress after the socket is closed. In that case the returned InetSocketAddress's address is the wildcard address and its port is the local port that it was bound to.

If there is a security manager set, its checkConnect method is called with the local address and -1 as its arguments to see if the operation is allowed. If the operation is not allowed, a SocketAddress representing the loopback address and the local port to which this socket is bound is returned.

Boolean getOOBInline()

Tests if SO_OOBINLINE is enabled.

T getOption(name: SocketOption<T>!)

Returns the value of a socket option.

OutputStream! getOutputStream()

Returns an output stream for this socket.

If this socket has an associated channel then the resulting output stream delegates all of its operations to the channel. If the channel is in non-blocking mode then the output stream's write operations will throw an .

Closing the returned OutputStream will close the associated socket.

Int getPort()

Returns the remote port number to which this socket is connected.

If the socket was connected prior to being #close, then this method will continue to return the connected port number after the socket is closed.

Int getReceiveBufferSize()

Gets the value of the SO_RCVBUF option for this Socket, that is the buffer size used by the platform for input on this Socket.

SocketAddress! getRemoteSocketAddress()

Returns the address of the endpoint this socket is connected to, or null if it is unconnected.

If the socket was connected prior to being #close, then this method will continue to return the connected address after the socket is closed.

Boolean getReuseAddress()

Tests if SO_REUSEADDR is enabled.

Int getSendBufferSize()

Get value of the SO_SNDBUF option for this Socket, that is the buffer size used by the platform for output on this Socket.

Int getSoLinger()

Returns setting for SO_LINGER. -1 returns implies that the option is disabled. The setting only affects socket close.

Int getSoTimeout()

Returns setting for SO_TIMEOUT. 0 returns implies that the option is disabled (i.e., timeout of infinity).

Boolean getTcpNoDelay()

Tests if TCP_NODELAY is enabled.

Int getTrafficClass()

Gets traffic class or type-of-service in the IP header for packets sent from this Socket

As the underlying network implementation may ignore the traffic class or type-of-service set using setTrafficClass(int) this method may return a different value than was previously set using the setTrafficClass(int) method on this Socket.

Boolean isBound()

Returns the binding state of the socket.

Note: Closing a socket doesn't clear its binding state, which means this method will return true for a closed socket (see isClosed()) if it was successfuly bound prior to being closed.

Boolean isClosed()

Returns the closed state of the socket.

Boolean isConnected()

Returns the connection state of the socket.

Note: Closing a socket doesn't clear its connection state, which means this method will return true for a closed socket (see isClosed()) if it was successfuly connected prior to being closed.

Boolean isInputShutdown()

Returns whether the read-half of the socket connection is closed.

Boolean isOutputShutdown()

Returns whether the write-half of the socket connection is closed.

Unit sendUrgentData(data: Int)

Send one byte of urgent data on the socket. The byte to be sent is the lowest eight bits of the data parameter. The urgent byte is sent after any preceding writes to the socket OutputStream and before any future writes to the OutputStream.

Unit setKeepAlive(on: Boolean)

Enable/disable SO_KEEPALIVE.

Unit setOOBInline(on: Boolean)

Enable/disable SO_OOBINLINE (receipt of TCP urgent data) By default, this option is disabled and TCP urgent data received on a socket is silently discarded. If the user wishes to receive urgent data, then this option must be enabled. When enabled, urgent data is received inline with normal data.

Note, only limited support is provided for handling incoming urgent data. In particular, no notification of incoming urgent data is provided and there is no capability to distinguish between normal data and urgent data unless provided by a higher level protocol.

Socket! setOption(name: SocketOption<T>!, value: T)

Sets the value of a socket option.

Unit setPerformancePreferences(connectionTime: Int, latency: Int, bandwidth: Int)

Sets performance preferences for this socket.

Sockets use the TCP/IP protocol by default. Some implementations may offer alternative protocols which have different performance characteristics than TCP/IP. This method allows the application to express its own preferences as to how these tradeoffs should be made when the implementation chooses from the available protocols.

Performance preferences are described by three integers whose values indicate the relative importance of short connection time, low latency, and high bandwidth. The absolute values of the integers are irrelevant; in order to choose a protocol the values are simply compared, with larger values indicating stronger preferences. Negative values represent a lower priority than positive values. If the application prefers short connection time over both low latency and high bandwidth, for example, then it could invoke this method with the values (1, 0, 0). If the application prefers high bandwidth above low latency, and low latency above short connection time, then it could invoke this method with the values (0, 1, 2).

Invoking this method after this socket has been connected will have no effect.

Unit setReceiveBufferSize(size: Int)

Sets the SO_RCVBUF option to the specified value for this Socket. The SO_RCVBUF option is used by the platform's networking code as a hint for the size to set the underlying network I/O buffers.

Increasing the receive buffer size can increase the performance of network I/O for high-volume connection, while decreasing it can help reduce the backlog of incoming data.

Because SO_RCVBUF is a hint, applications that want to verify what size the buffers were set to should call getReceiveBufferSize().

The value of SO_RCVBUF is also used to set the TCP receive window that is advertized to the remote peer. Generally, the window size can be modified at any time when a socket is connected. However, if a receive window larger than 64K is required then this must be requested before the socket is connected to the remote peer. There are two cases to be aware of:

  1. For sockets accepted from a ServerSocket, this must be done by calling ServerSocket.setReceiveBufferSize(int) before the ServerSocket is bound to a local address.
  2. For client sockets, setReceiveBufferSize() must be called before connecting the socket to its remote peer.

Unit setReuseAddress(on: Boolean)

Enable/disable the SO_REUSEADDR socket option.

When a TCP connection is closed the connection may remain in a timeout state for a period of time after the connection is closed (typically known as the TIME_WAIT state or 2MSL wait state). For applications using a well known socket address or port it may not be possible to bind a socket to the required SocketAddress if there is a connection in the timeout state involving the socket address or port.

Enabling SO_REUSEADDR prior to binding the socket using bind(java.net.SocketAddress) allows the socket to be bound even though a previous connection is in a timeout state.

When a Socket is created the initial setting of SO_REUSEADDR is disabled.

The behaviour when SO_REUSEADDR is enabled or disabled after a socket is bound (See isBound()) is not defined.

Unit setSendBufferSize(size: Int)

Sets the SO_SNDBUF option to the specified value for this Socket. The SO_SNDBUF option is used by the platform's networking code as a hint for the size to set the underlying network I/O buffers.

Because SO_SNDBUF is a hint, applications that want to verify what size the buffers were set to should call getSendBufferSize().

Unit setSoLinger(on: Boolean, linger: Int)

Enable/disable SO_LINGER with the specified linger time in seconds. The maximum timeout value is platform specific. The setting only affects socket close.

Unit setSoTimeout(timeout: Int)

Enable/disable SO_TIMEOUT with the specified timeout, in milliseconds. With this option set to a non-zero timeout, a read() call on the InputStream associated with this Socket will block for only this amount of time. If the timeout expires, a java.net.SocketTimeoutException is raised, though the Socket is still valid. The option must be enabled prior to entering the blocking operation to have effect. The timeout must be > 0. A timeout of zero is interpreted as an infinite timeout.

Unit setSocketImplFactory(fac: SocketImplFactory!)

Sets the client socket implementation factory for the application. The factory can be specified only once.

When an application creates a new client socket, the socket implementation factory's createSocketImpl method is called to create the actual socket implementation.

Passing null to the method is a no-op unless the factory was already set.

If there is a security manager, this method first calls the security manager's checkSetFactory method to ensure the operation is allowed. This could result in a SecurityException.

Unit setTcpNoDelay(on: Boolean)

Enable/disable TCP_NODELAY (disable/enable Nagle's algorithm).

Unit setTrafficClass(tc: Int)

Sets traffic class or type-of-service octet in the IP header for packets sent from this Socket. As the underlying network implementation may ignore this value applications should consider it a hint.

The tc must be in the range 0 <= tc <= 255 or an IllegalArgumentException will be thrown.

Notes:

For Internet Protocol v4 the value consists of an integer, the least significant 8 bits of which represent the value of the TOS octet in IP packets sent by the socket. RFC 1349 defines the TOS values as follows:

  • IPTOS_LOWCOST (0x02)
  • IPTOS_RELIABILITY (0x04)
  • IPTOS_THROUGHPUT (0x08)
  • IPTOS_LOWDELAY (0x10)
The last low order bit is always ignored as this corresponds to the MBZ (must be zero) bit.

Setting bits in the precedence field may result in a SocketException indicating that the operation is not permitted.

As RFC 1122 section 4.2.4.2 indicates, a compliant TCP implementation should, but is not required to, let application change the TOS field during the lifetime of a connection. So whether the type-of-service field can be changed after the TCP connection has been established depends on the implementation in the underlying platform. Applications should not assume that they can change the TOS field after the connection.

For Internet Protocol v6 tc is the value that would be placed into the sin6_flowinfo field of the IP header.

Unit shutdownInput()

Places the input stream for this socket at "end of stream". Any data sent to the input stream side of the socket is acknowledged and then silently discarded.

If you read from a socket input stream after invoking this method on the socket, the stream's available method will return 0, and its read methods will return -1 (end of stream).

Unit shutdownOutput()

Disables the output stream for this socket. For a TCP socket, any previously written data will be sent followed by TCP's normal connection termination sequence. If you write to a socket output stream after invoking shutdownOutput() on the socket, the stream will throw an IOException.

MutableSet<SocketOption<*>!>! supportedOptions()

Returns a set of the socket options supported by this socket. This method will continue to return the set of options even after the socket has been closed.

Protected constructors

SSLSocket

Added in API level 1
protected SSLSocket()

Used only by subclasses. Constructs an uninitialized, unconnected TCP socket.

SSLSocket

Added in API level 1
protected SSLSocket(
    host: String!,
    port: Int)

Used only by subclasses. Constructs a TCP connection to a named host at a specified port. This acts as the SSL client.

If there is a security manager, its checkConnect method is called with the host address and port as its arguments. This could result in a SecurityException.

Parameters
host String!: name of the host with which to connect, or null for the loopback address.
port Int: number of the server's port
Exceptions
java.io.IOException if an I/O error occurs when creating the socket
java.lang.SecurityException if a security manager exists and its checkConnect method doesn't allow the operation.
java.net.UnknownHostException if the host is not known
java.lang.IllegalArgumentException if the port parameter is outside the specified range of valid port values, which is between 0 and 65535, inclusive.

See Also

    SSLSocket

    Added in API level 1
    protected SSLSocket(
        host: String!,
        port: Int,
        clientAddress: InetAddress!,
        clientPort: Int)

    Used only by subclasses. Constructs an SSL connection to a named host at a specified port, binding the client side of the connection a given address and port. This acts as the SSL client.

    If there is a security manager, its checkConnect method is called with the host address and port as its arguments. This could result in a SecurityException.

    Parameters
    host String!: name of the host with which to connect, or null for the loopback address.
    port Int: number of the server's port
    clientAddress InetAddress!: the client's address the socket is bound to, or null for the anyLocal address.
    clientPort Int: the client's port the socket is bound to, or zero for a system selected free port.
    Exceptions
    java.io.IOException if an I/O error occurs when creating the socket
    java.lang.SecurityException if a security manager exists and its checkConnect method doesn't allow the operation.
    java.net.UnknownHostException if the host is not known
    java.lang.IllegalArgumentException if the port parameter or clientPort parameter is outside the specified range of valid port values, which is between 0 and 65535, inclusive.

    See Also

      SSLSocket

      Added in API level 1
      protected SSLSocket(
          address: InetAddress!,
          port: Int)

      Used only by subclasses. Constructs a TCP connection to a server at a specified address and port. This acts as the SSL client.

      If there is a security manager, its checkConnect method is called with the host address and port as its arguments. This could result in a SecurityException.

      Parameters
      address InetAddress!: the server's host
      port Int: its port
      Exceptions
      java.io.IOException if an I/O error occurs when creating the socket
      java.lang.SecurityException if a security manager exists and its checkConnect method doesn't allow the operation.
      java.lang.IllegalArgumentException if the port parameter is outside the specified range of valid port values, which is between 0 and 65535, inclusive.
      java.lang.NullPointerException if address is null.

      See Also

        SSLSocket

        Added in API level 1
        protected SSLSocket(
            address: InetAddress!,
            port: Int,
            clientAddress: InetAddress!,
            clientPort: Int)

        Used only by subclasses. Constructs an SSL connection to a server at a specified address and TCP port, binding the client side of the connection a given address and port. This acts as the SSL client.

        If there is a security manager, its checkConnect method is called with the host address and port as its arguments. This could result in a SecurityException.

        Parameters
        address InetAddress!: the server's host
        port Int: its port
        clientAddress InetAddress!: the client's address the socket is bound to, or null for the anyLocal address.
        clientPort Int: the client's port the socket is bound to, or zero for a system selected free port.
        Exceptions
        java.io.IOException if an I/O error occurs when creating the socket
        java.lang.SecurityException if a security manager exists and its checkConnect method doesn't allow the operation.
        java.lang.IllegalArgumentException if the port parameter or clientPort parameter is outside the specified range of valid port values, which is between 0 and 65535, inclusive.
        java.lang.NullPointerException if address is null.

        See Also

          Public methods

          addHandshakeCompletedListener

          Added in API level 1
          abstract fun addHandshakeCompletedListener(listener: HandshakeCompletedListener!): Unit

          Registers an event listener to receive notifications that an SSL handshake has completed on this connection.

          Parameters
          listener HandshakeCompletedListener!: the HandShake Completed event listener
          Exceptions
          java.lang.IllegalArgumentException if the argument is null.

          getApplicationProtocol

          Added in API level 29
          open fun getApplicationProtocol(): String!

          Returns the most recent application protocol value negotiated for this connection.

          If supported by the underlying SSL/TLS implementation, application name negotiation mechanisms such as RFC 7301 , the Application-Layer Protocol Negotiation (ALPN), can negotiate application-level values between peers.

          Return
          String! null if it has not yet been determined if application protocols might be used for this connection, an empty String if application protocols values will not be used, or a non-empty application protocol String if a value was successfully negotiated.
          Exceptions
          java.lang.UnsupportedOperationException if the underlying provider does not implement the operation.

          getEnableSessionCreation

          Added in API level 1
          abstract fun getEnableSessionCreation(): Boolean

          Returns true if new SSL sessions may be established by this socket.

          Return
          Boolean true indicates that sessions may be created; this is the default. false indicates that an existing session must be resumed

          getEnabledCipherSuites

          Added in API level 1
          abstract fun getEnabledCipherSuites(): Array<String!>!

          Returns the names of the SSL cipher suites which are currently enabled for use on this connection. When an SSLSocket is first created, all enabled cipher suites support a minimum quality of service. Thus, in some environments this value might be empty.

          Even if a suite has been enabled, it might never be used. (For example, the peer does not support it, the requisite certificates (and private keys) for the suite are not available, or an anonymous suite is enabled but authentication is required.

          Return
          Array<String!>! an array of cipher suite names

          getEnabledProtocols

          Added in API level 1
          abstract fun getEnabledProtocols(): Array<String!>!

          Returns the names of the protocol versions which are currently enabled for use on this connection.

          Return
          Array<String!>! an array of protocols

          See Also

            getHandshakeApplicationProtocol

            Added in API level 29
            open fun getHandshakeApplicationProtocol(): String!

            Returns the application protocol value negotiated on a SSL/TLS handshake currently in progress.

            Like getHandshakeSession(), a connection may be in the middle of a handshake. The application protocol may or may not yet be available.

            Return
            String! null if it has not yet been determined if application protocols might be used for this handshake, an empty String if application protocols values will not be used, or a non-empty application protocol String if a value was successfully negotiated.
            Exceptions
            java.lang.UnsupportedOperationException if the underlying provider does not implement the operation.

            getHandshakeApplicationProtocolSelector

            Added in API level 29
            open fun getHandshakeApplicationProtocolSelector(): BiFunction<SSLSocket!, MutableList<String!>!, String!>!

            Retrieves the callback function that selects an application protocol value during a SSL/TLS handshake. See setHandshakeApplicationProtocolSelector for the function's type parameters.

            Return
            BiFunction<SSLSocket!, MutableList<String!>!, String!>! the callback function, or null if none has been set.
            Exceptions
            java.lang.UnsupportedOperationException if the underlying provider does not implement the operation.

            getHandshakeSession

            Added in API level 24
            open fun getHandshakeSession(): SSLSession!

            Returns the SSLSession being constructed during a SSL/TLS handshake.

            TLS protocols may negotiate parameters that are needed when using an instance of this class, but before the SSLSession has been completely initialized and made available via getSession. For example, the list of valid signature algorithms may restrict the type of certificates that can used during TrustManager decisions, or the maximum TLS fragment packet sizes can be resized to better support the network environment.

            This method provides early access to the SSLSession being constructed. Depending on how far the handshake has progressed, some data may not yet be available for use. For example, if a remote server will be sending a Certificate chain, but that chain has yet not been processed, the getPeerCertificates method of SSLSession will throw a SSLPeerUnverifiedException. Once that chain has been processed, getPeerCertificates will return the proper value.

            Unlike getSession(), this method does not initiate the initial handshake and does not block until handshaking is complete.

            Return
            SSLSession! null if this instance is not currently handshaking, or if the current handshake has not progressed far enough to create a basic SSLSession. Otherwise, this method returns the SSLSession currently being negotiated.
            Exceptions
            java.lang.UnsupportedOperationException if the underlying provider does not implement the operation.

            getNeedClientAuth

            Added in API level 1
            abstract fun getNeedClientAuth(): Boolean

            Returns true if the socket will require client authentication. This option is only useful to sockets in the server mode.

            Return
            Boolean true if client authentication is required, or false if no client authentication is desired.

            getSSLParameters

            Added in API level 9
            open fun getSSLParameters(): SSLParameters!

            Returns the SSLParameters in effect for this SSLSocket. The ciphersuites and protocols of the returned SSLParameters are always non-null.

            Return
            SSLParameters! the SSLParameters in effect for this SSLSocket.

            getSession

            Added in API level 1
            abstract fun getSession(): SSLSession!

            Returns the SSL Session in use by this connection. These can be long lived, and frequently correspond to an entire login session for some user. The session specifies a particular cipher suite which is being actively used by all connections in that session, as well as the identities of the session's client and server.

            This method will initiate the initial handshake if necessary and then block until the handshake has been established.

            If an error occurs during the initial handshake, this method returns an invalid session object which reports an invalid cipher suite of "SSL_NULL_WITH_NULL_NULL".

            Return
            SSLSession! the SSLSession

            getSupportedCipherSuites

            Added in API level 1
            abstract fun getSupportedCipherSuites(): Array<String!>!

            Returns the names of the cipher suites which could be enabled for use on this connection. Normally, only a subset of these will actually be enabled by default, since this list may include cipher suites which do not meet quality of service requirements for those defaults. Such cipher suites might be useful in specialized applications.

            Applications should not blindly enable all supported cipher suites. The supported cipher suites can include signaling cipher suite values that can cause connection problems if enabled inappropriately.

            The proper way to use this method is to either check if a specific cipher suite is supported via Arrays.asList(getSupportedCipherSuites()).contains(...) or to filter a desired list of cipher suites to only the supported ones via desiredSuiteSet.retainAll(Arrays.asList(getSupportedCipherSuites())).

            Return
            Array<String!>! an array of cipher suite names

            getSupportedProtocols

            Added in API level 1
            abstract fun getSupportedProtocols(): Array<String!>!

            Returns the names of the protocols which could be enabled for use on an SSL connection.

            Return
            Array<String!>! an array of protocols supported

            getUseClientMode

            Added in API level 1
            abstract fun getUseClientMode(): Boolean

            Returns true if the socket is set to use client mode when handshaking.

            Return
            Boolean true if the socket should do handshaking in "client" mode

            getWantClientAuth

            Added in API level 1
            abstract fun getWantClientAuth(): Boolean

            Returns true if the socket will request client authentication. This option is only useful for sockets in the server mode.

            Return
            Boolean true if client authentication is requested, or false if no client authentication is desired.

            removeHandshakeCompletedListener

            Added in API level 1
            abstract fun removeHandshakeCompletedListener(listener: HandshakeCompletedListener!): Unit

            Removes a previously registered handshake completion listener.

            Parameters
            listener HandshakeCompletedListener!: the HandShake Completed event listener
            Exceptions
            java.lang.IllegalArgumentException if the listener is not registered, or the argument is null.

            setEnableSessionCreation

            Added in API level 1
            abstract fun setEnableSessionCreation(flag: Boolean): Unit

            Controls whether new SSL sessions may be established by this socket. If session creations are not allowed, and there are no existing sessions to resume, there will be no successful handshaking.

            Parameters
            flag Boolean: true indicates that sessions may be created; this is the default. false indicates that an existing session must be resumed

            setEnabledCipherSuites

            Added in API level 1
            abstract fun setEnabledCipherSuites(suites: Array<String!>!): Unit

            Sets the cipher suites enabled for use on this connection.

            Each cipher suite in the suites parameter must have been listed by getSupportedCipherSuites(), or the method will fail. Following a successful call to this method, only suites listed in the suites parameter are enabled for use.

            See getEnabledCipherSuites() for more information on why a specific ciphersuite may never be used on a connection.

            Parameters
            suites Array<String!>!: Names of all the cipher suites to enable
            Exceptions
            java.lang.IllegalArgumentException when one or more of the ciphers named by the parameter is not supported, or when the parameter is null.

            setEnabledProtocols

            Added in API level 1
            abstract fun setEnabledProtocols(protocols: Array<String!>!): Unit

            Sets the protocol versions enabled for use on this connection.

            The protocols must have been listed by getSupportedProtocols() as being supported. Following a successful call to this method, only protocols listed in the protocols parameter are enabled for use.

            Because of the way the protocol version is negotiated, connections will only be able to use a member of the lowest set of contiguous enabled protocol versions. For example, enabling TLSv1.2 and TLSv1 will result in connections only being able to use TLSv1.

            Parameters
            protocols Array<String!>!: Names of all the protocols to enable.
            Exceptions
            java.lang.IllegalArgumentException when one or more of the protocols named by the parameter is not supported or when the protocols parameter is null.

            setHandshakeApplicationProtocolSelector

            Added in API level 29
            open fun setHandshakeApplicationProtocolSelector(selector: BiFunction<SSLSocket!, MutableList<String!>!, String!>!): Unit

            Registers a callback function that selects an application protocol value for a SSL/TLS handshake. The function overrides any values supplied using SSLParameters.setApplicationProtocols and it supports the following type parameters:

            SSLSocket
            The function's first argument allows the current SSLSocket to be inspected, including the handshake session and configuration settings.
            List<String>
            The function's second argument lists the application protocol names advertised by the TLS peer.
            String
            The function's result is an application protocol name, or null to indicate that none of the advertised names are acceptable. If the return value is an empty String then application protocol indications will not be used. If the return value is null (no value chosen) or is a value that was not advertised by the peer, the underlying protocol will determine what action to take. (For example, ALPN will send a "no_application_protocol" alert and terminate the connection.)
            For example, the following call registers a callback function that examines the TLS handshake parameters and selects an application protocol name:
            <code>serverSocket.setHandshakeApplicationProtocolSelector(
                      (serverSocket, clientProtocols) -&gt; {
                          SSLSession session = serverSocket.getHandshakeSession();
                          return chooseApplicationProtocol(
                              serverSocket,
                              clientProtocols,
                              session.getProtocol(),
                              session.getCipherSuite());
                      });
              </code>

            Parameters
            selector BiFunction<SSLSocket!, MutableList<String!>!, String!>!: the callback function, or null to de-register.
            Exceptions
            java.lang.UnsupportedOperationException if the underlying provider does not implement the operation.

            setNeedClientAuth

            Added in API level 1
            abstract fun setNeedClientAuth(need: Boolean): Unit

            Configures the socket to require client authentication. This option is only useful for sockets in the server mode.

            A socket's client authentication setting is one of the following:

            • client authentication required
            • client authentication requested
            • no client authentication desired

            Unlike setWantClientAuth(boolean), if this option is set and the client chooses not to provide authentication information about itself, the negotiations will stop and the connection will be dropped.

            Calling this method overrides any previous setting made by this method or setWantClientAuth(boolean).

            Parameters
            need Boolean: set to true if client authentication is required, or false if no client authentication is desired.

            setSSLParameters

            Added in API level 9
            open fun setSSLParameters(params: SSLParameters!): Unit

            Applies SSLParameters to this socket.

            This means:

            • If params.getCipherSuites() is non-null, setEnabledCipherSuites() is called with that value.
            • If params.getProtocols() is non-null, setEnabledProtocols() is called with that value.
            • If params.getNeedClientAuth() or params.getWantClientAuth() return true, setNeedClientAuth(true) and setWantClientAuth(true) are called, respectively; otherwise setWantClientAuth(false) is called.
            • If params.getServerNames() is non-null, the socket will configure its server names with that value.
            • If params.getSNIMatchers() is non-null, the socket will configure its SNI matchers with that value.
            Parameters
            params SSLParameters!: the parameters
            Exceptions
            java.lang.IllegalArgumentException if the setEnabledCipherSuites() or the setEnabledProtocols() call fails

            setUseClientMode

            Added in API level 1
            abstract fun setUseClientMode(mode: Boolean): Unit

            Configures the socket to use client (or server) mode when handshaking.

            This method must be called before any handshaking occurs. Once handshaking has begun, the mode can not be reset for the life of this socket.

            Servers normally authenticate themselves, and clients are not required to do so.

            Parameters
            mode Boolean: true if the socket should start its handshaking in "client" mode
            Exceptions
            java.lang.IllegalArgumentException if a mode change is attempted after the initial handshake has begun.

            setWantClientAuth

            Added in API level 1
            abstract fun setWantClientAuth(want: Boolean): Unit

            Configures the socket to request client authentication. This option is only useful for sockets in the server mode.

            A socket's client authentication setting is one of the following:

            • client authentication required
            • client authentication requested
            • no client authentication desired

            Unlike setNeedClientAuth(boolean), if this option is set and the client chooses not to provide authentication information about itself, the negotiations will continue.

            Calling this method overrides any previous setting made by this method or setNeedClientAuth(boolean).

            Parameters
            want Boolean: set to true if client authentication is requested, or false if no client authentication is desired.

            startHandshake

            Added in API level 1
            abstract fun startHandshake(): Unit

            Starts an SSL handshake on this connection. Common reasons include a need to use new encryption keys, to change cipher suites, or to initiate a new session. To force complete reauthentication, the current session could be invalidated before starting this handshake.

            If data has already been sent on the connection, it continues to flow during this handshake. When the handshake completes, this will be signaled with an event. This method is synchronous for the initial handshake on a connection and returns when the negotiated handshake is complete. Some protocols may not support multiple handshakes on an existing socket and may throw an IOException.

            Exceptions
            java.io.IOException on a network level error

            toString

            Added in API level 1
            open fun toString(): String
            Return
            String a string representation of this socket.