public abstract class SSLServerSocket extends ServerSocket
ServerSockets and
 provides secure server sockets using protocols such as the Secure
 Sockets Layer (SSL) or Transport Layer Security (TLS) protocols.
 
 Instances of this class are generally created using a
 SSLServerSocketFactory.  The primary function
 of SSLServerSockets
 is to create SSLSockets by accepting
 connections.
 
 SSLServerSockets contain several pieces of state data
 which are inherited by the SSLSocket at
 socket creation.  These include the enabled cipher
 suites and protocols, whether client
 authentication is necessary, and whether created sockets should
 begin handshaking in client or server mode.  The state
 inherited by the created SSLSocket can be
 overriden by calling the appropriate methods.
ServerSocket, 
SSLSocket| Modifier | Constructor and Description | 
|---|---|
| protected  | SSLServerSocket()Used only by subclasses. | 
| protected  | SSLServerSocket(int port)Used only by subclasses. | 
| protected  | SSLServerSocket(int port,
               int backlog)Used only by subclasses. | 
| protected  | SSLServerSocket(int port,
               int backlog,
               InetAddress address)Used only by subclasses. | 
| Modifier and Type | Method and Description | 
|---|---|
| abstract String[] | getEnabledCipherSuites()Returns the list of cipher suites which are currently enabled
 for use by newly accepted connections. | 
| abstract String[] | getEnabledProtocols()Returns the names of the protocols which are currently
 enabled for use by the newly accepted connections. | 
| abstract boolean | getEnableSessionCreation()Returns true if new SSL sessions may be established by the
 sockets which are created from this server socket. | 
| abstract boolean | getNeedClientAuth()Returns true if client authentication will be required on
 newly  accepted server-modeSSLSockets. | 
| SSLParameters | getSSLParameters()Returns the SSLParameters in effect for newly accepted connections. | 
| abstract String[] | getSupportedCipherSuites()Returns the names of the cipher suites which could be enabled for use
 on an SSL connection. | 
| abstract String[] | getSupportedProtocols()Returns the names of the protocols which could be enabled for use. | 
| abstract boolean | getUseClientMode()Returns true if accepted connections will be in SSL client mode. | 
| abstract boolean | getWantClientAuth()Returns true if client authentication will be requested on
 newly accepted server-mode connections. | 
| abstract void | setEnabledCipherSuites(String[] suites)Sets the cipher suites enabled for use by accepted connections. | 
| abstract void | setEnabledProtocols(String[] protocols)Controls which particular protocols are enabled for use by
 accepted connections. | 
| abstract void | setEnableSessionCreation(boolean flag)Controls whether new SSL sessions may be established by the
 sockets which are created from this server socket. | 
| abstract void | setNeedClientAuth(boolean need)Controls whether  accepted server-modeSSLSocketswill be initially configured to
 require client authentication. | 
| void | setSSLParameters(SSLParameters params)Applies SSLParameters to newly accepted connections. | 
| abstract void | setUseClientMode(boolean mode)Controls whether accepted connections are in the (default) SSL
 server mode, or the SSL client mode. | 
| abstract void | setWantClientAuth(boolean want)Controls whether  accepted server-modeSSLSocketswill be initially configured to
 request client authentication. | 
accept, bind, bind, close, getChannel, getInetAddress, getLocalPort, getLocalSocketAddress, getReceiveBufferSize, getReuseAddress, getSoTimeout, implAccept, isBound, isClosed, setPerformancePreferences, setReceiveBufferSize, setReuseAddress, setSocketFactory, setSoTimeout, toStringprotected SSLServerSocket()
                   throws IOException
Create an unbound TCP server socket using the default authentication context.
IOException - if an I/O error occurs when creating the socketprotected SSLServerSocket(int port)
                   throws IOException
Create a TCP server socket on a port, using the default authentication context. The connection backlog defaults to fifty connections queued up before the system starts to reject new connection requests.
 A port number of 0 creates a socket on any free port.
 
 If there is a security manager, its checkListen
 method is called with the port argument as its
 argument to ensure the operation is allowed. This could result
 in a SecurityException.
port - the port on which to listenIOException - if an I/O error occurs when creating the socketSecurityException - if a security manager exists and its
         checkListen method doesn't allow the operation.IllegalArgumentException - if the port parameter is outside the
         specified range of valid port values, which is between 0 and
         65535, inclusive.SecurityManager.checkListen(int)protected SSLServerSocket(int port,
                          int backlog)
                   throws IOException
Create a TCP server socket on a port, using the default authentication context and a specified backlog of connections.
 A port number of 0 creates a socket on any free port.
 
 The backlog argument is the requested maximum number of
 pending connections on the socket. Its exact semantics are implementation
 specific. In particular, an implementation may impose a maximum length
 or may choose to ignore the parameter altogther. The value provided
 should be greater than 0. If it is less than or equal to
 0, then an implementation specific default will be used.
 
 If there is a security manager, its checkListen
 method is called with the port argument as its
 argument to ensure the operation is allowed. This could result
 in a SecurityException.
port - the port on which to listenbacklog - requested maximum length of the queue of incoming
                  connections.IOException - if an I/O error occurs when creating the socketSecurityException - if a security manager exists and its
         checkListen method doesn't allow the operation.IllegalArgumentException - if the port parameter is outside the
         specified range of valid port values, which is between 0 and
         65535, inclusive.SecurityManager.checkListen(int)protected SSLServerSocket(int port,
                          int backlog,
                          InetAddress address)
                   throws IOException
Create a TCP server socket on a port, using the default authentication context and a specified backlog of connections as well as a particular specified network interface. This constructor is used on multihomed hosts, such as those used for firewalls or as routers, to control through which interface a network service is provided.
 If there is a security manager, its checkListen
 method is called with the port argument as its
 argument to ensure the operation is allowed. This could result
 in a SecurityException.
 
 A port number of 0 creates a socket on any free port.
 
 The backlog argument is the requested maximum number of
 pending connections on the socket. Its exact semantics are implementation
 specific. In particular, an implementation may impose a maximum length
 or may choose to ignore the parameter altogther. The value provided
 should be greater than 0. If it is less than or equal to
 0, then an implementation specific default will be used.
 
If address is null, it will default accepting connections on any/all local addresses.
port - the port on which to listenbacklog - requested maximum length of the queue of incoming
                  connections.address - the address of the network interface through
          which connections will be acceptedIOException - if an I/O error occurs when creating the socketSecurityException - if a security manager exists and its
         checkListen method doesn't allow the operation.IllegalArgumentException - if the port parameter is outside the
         specified range of valid port values, which is between 0 and
         65535, inclusive.SecurityManager.checkListen(int)public abstract String[] getEnabledCipherSuites()
If this list has not been explicitly modified, a system-provided default guarantees a minimum quality of service in all enabled cipher suites.
There are several reasons why an enabled cipher suite might not actually be used. For example: the server socket might not have appropriate private keys available to it or the cipher suite might be anonymous, precluding the use of client authentication, while the server socket has been told to require that sort of authentication.
getSupportedCipherSuites(), 
setEnabledCipherSuites(String [])public abstract void setEnabledCipherSuites(String[] suites)
 The cipher suites must have been listed by getSupportedCipherSuites()
 as being supported.  Following a successful call to this method,
 only suites listed in the suites parameter are enabled
 for use.
 
Suites that require authentication information which is not available in this ServerSocket's authentication context will not be used in any case, even if they are enabled.
 SSLSockets returned from accept()
 inherit this setting.
suites - Names of all the cipher suites to enableIllegalArgumentException - when one or more of ciphers
          named by the parameter is not supported, or when
          the parameter is null.getSupportedCipherSuites(), 
getEnabledCipherSuites()public abstract String[] getSupportedCipherSuites()
Normally, only a subset of these will actually be enabled by default, since this list may include cipher suites which do not meet quality of service requirements for those defaults. Such cipher suites are useful in specialized applications.
getEnabledCipherSuites(), 
setEnabledCipherSuites(String [])public abstract String[] getSupportedProtocols()
getEnabledProtocols(), 
setEnabledProtocols(String [])public abstract String[] getEnabledProtocols()
getSupportedProtocols(), 
setEnabledProtocols(String [])public abstract void setEnabledProtocols(String[] protocols)
 The protocols must have been listed by
 getSupportedProtocols() as being supported.
 Following a successful call to this method, only protocols listed
 in the protocols parameter are enabled for use.
 
 SSLSockets returned from accept()
 inherit this setting.
protocols - Names of all the protocols to enable.IllegalArgumentException - when one or more of
            the protocols named by the parameter is not supported or
            when the protocols parameter is null.getEnabledProtocols(), 
getSupportedProtocols()public abstract void setNeedClientAuth(boolean need)
accepted server-mode
 SSLSockets will be initially configured to
 require client authentication.
 A socket's client authentication setting is one of the following:
 Unlike setWantClientAuth(boolean), if the accepted
 socket's option is set and the client chooses not to provide
 authentication information about itself, the negotiations
 will stop and the connection will be dropped.
 
 Calling this method overrides any previous setting made by
 this method or setWantClientAuth(boolean).
 
 The initial inherited setting may be overridden by calling
 SSLSocket.setNeedClientAuth(boolean) or
 SSLSocket.setWantClientAuth(boolean).
need - set to true if client authentication is required,
          or false if no client authentication is desired.getNeedClientAuth(), 
setWantClientAuth(boolean), 
getWantClientAuth(), 
setUseClientMode(boolean)public abstract boolean getNeedClientAuth()
accepted server-mode SSLSockets.
 
 The initial inherited setting may be overridden by calling
 SSLSocket.setNeedClientAuth(boolean) or
 SSLSocket.setWantClientAuth(boolean).
setNeedClientAuth(boolean), 
setWantClientAuth(boolean), 
getWantClientAuth(), 
setUseClientMode(boolean)public abstract void setWantClientAuth(boolean want)
accepted server-mode
 SSLSockets will be initially configured to
 request client authentication.
 A socket's client authentication setting is one of the following:
 Unlike setNeedClientAuth(boolean), if the accepted
 socket's option is set and the client chooses not to provide
 authentication information about itself, the negotiations
 will continue.
 
 Calling this method overrides any previous setting made by
 this method or setNeedClientAuth(boolean).
 
 The initial inherited setting may be overridden by calling
 SSLSocket.setNeedClientAuth(boolean) or
 SSLSocket.setWantClientAuth(boolean).
want - set to true if client authentication is requested,
          or false if no client authentication is desired.getWantClientAuth(), 
setNeedClientAuth(boolean), 
getNeedClientAuth(), 
setUseClientMode(boolean)public abstract boolean getWantClientAuth()
 The initial inherited setting may be overridden by calling
 SSLSocket.setNeedClientAuth(boolean) or
 SSLSocket.setWantClientAuth(boolean).
setWantClientAuth(boolean), 
setNeedClientAuth(boolean), 
getNeedClientAuth(), 
setUseClientMode(boolean)public abstract void setUseClientMode(boolean mode)
Servers normally authenticate themselves, and clients are not required to do so.
In rare cases, TCP servers need to act in the SSL client mode on newly accepted connections. For example, FTP clients acquire server sockets and listen there for reverse connections from the server. An FTP client would use an SSLServerSocket in "client" mode to accept the reverse connection while the FTP server uses an SSLSocket with "client" mode disabled to initiate the connection. During the resulting handshake, existing SSL sessions may be reused.
 SSLSockets returned from accept()
 inherit this setting.
mode - true if newly accepted connections should use SSL
          client mode.getUseClientMode()public abstract boolean getUseClientMode()
setUseClientMode(boolean)public abstract void setEnableSessionCreation(boolean flag)
 SSLSockets returned from accept()
 inherit this setting.
flag - true indicates that sessions may be created; this
          is the default. false indicates that an existing session
          must be resumed.getEnableSessionCreation()public abstract boolean getEnableSessionCreation()
setEnableSessionCreation(boolean)public SSLParameters getSSLParameters()
setSSLParameters(SSLParameters)public void setSSLParameters(SSLParameters params)
This means:
params.getCipherSuites() is non-null,
   setEnabledCipherSuites() is called with that value.params.getProtocols() is non-null,
   setEnabledProtocols() is called with that value.params.getNeedClientAuth() or
   params.getWantClientAuth() return true,
   setNeedClientAuth(true) and
   setWantClientAuth(true) are called, respectively;
   otherwise setWantClientAuth(false) is called.params.getServerNames() is non-null, the socket will
   configure its server names with that value.params.getSNIMatchers() is non-null, the socket will
   configure its SNI matchers with that value.params - the parametersIllegalArgumentException - if the setEnabledCipherSuites() or
    the setEnabledProtocols() call failsgetSSLParameters() Submit a bug or feature 
For further API reference and developer documentation, see Java SE Documentation. That documentation contains more detailed, developer-targeted descriptions, with conceptual overviews, definitions of terms, workarounds, and working code examples.
 Copyright © 1993, 2025, Oracle and/or its affiliates.  All rights reserved. Use is subject to license terms. Also see the documentation redistribution policy.