java.lang.Object
- io.netty5.channel.ChannelHandlerAdapter
- - io.netty5.handler.codec.ByteToMessageDecoder
  - - io.netty5.handler.ssl.SslHandler

All Implemented Interfaces:

ChannelHandler
```
public class SslHandler
extends ByteToMessageDecoder
```
Adds SSL · TLS and StartTLS support to a Channel. Please refer to the "SecureChat" example in the distribution or the web site for the detailed usage.
Beginning the handshake

Beside using the handshake Future to get notified about the completion of the handshake it's also possible to detect it by implement the ChannelHandler.channelInboundEvent(ChannelHandlerContext, Object) method and check for a SslHandshakeCompletionEvent.
Handshake

The handshake will be automatically issued for you once the Channel is active and SSLEngine.getUseClientMode() returns true. So no need to bother with it by your self.
Closing the session

To close the SSL session, the closeOutbound() method should be called to send the close_notify message to the remote peer. One exception is when you close the Channel - SslHandler intercepts the close request and send the close_notify message before the channel closure automatically. Once the SSL session is closed, it is not reusable, and consequently you should create a new SslHandler with a new SSLEngine as explained in the following section.
Restarting the session

To restart the SSL session, you must remove the existing closed SslHandler from the ChannelPipeline, insert a new SslHandler with a new SSLEngine into the pipeline, and start the handshake process as described in the first section.
Implementing StartTLS

StartTLS is the communication pattern that secures the wire in the middle of the plaintext connection. Please note that it is different from SSL · TLS, that secures the wire from the beginning of the connection. Typically, StartTLS is composed of three steps:
1. Client sends a StartTLS request to server.
2. Server sends a StartTLS response to client.
3. Client begins SSL handshake.
If you implement a server, you need to:
1. create a new SslHandler instance with startTls flag set to true,
2. insert the SslHandler to the ChannelPipeline, and
3. write a StartTLS response.
Please note that you must insert SslHandler before sending the StartTLS response. Otherwise the client can send begin SSL handshake before SslHandler is inserted to the ChannelPipeline, causing data corruption.
The client-side implementation is much simpler.
1. Write a StartTLS request,
2. wait for the StartTLS response,
3. create a new SslHandler instance with startTls flag set to false,
4. insert the SslHandler to the ChannelPipeline, and
5. Initiate SSL handshake.
Known issues

Because of a known issue with the current implementation of the SslEngine that comes with Java it may be possible that you see blocked IO-Threads while a full GC is done.
So if you are affected you can workaround this problem by adjust the cache settings like shown below:
```
     SslContext context = ...;
     context.getServerSessionContext().setSessionCacheSize(someSaneSize);
     context.getServerSessionContext().setSessionTime(someSameTimeout);
 
```
What values to use here depends on the nature of your application and should be set based on monitoring and debugging of it. For more details see #832 in our issue tracker.

Nested Class Summary
- Nested classes/interfaces inherited from class io.netty5.handler.codec.ByteToMessageDecoder
  ByteToMessageDecoder.Cumulator

Field Summary
- Fields inherited from class io.netty5.handler.codec.ByteToMessageDecoder
  COMPOSITE_CUMULATOR, MERGE_CUMULATOR

Constructor Summary

Constructors
Constructor	Description
`SslHandler(SSLEngine engine)`	Creates a new instance which runs all delegated tasks directly on the `EventExecutor`.
`SslHandler(SSLEngine engine, boolean startTls)`	Creates a new instance which runs all delegated tasks directly on the `EventExecutor`.
`SslHandler(SSLEngine engine, boolean startTls, Executor delegatedTaskExecutor)`	Creates a new instance.
`SslHandler(SSLEngine engine, Executor delegatedTaskExecutor)`	Creates a new instance.

Method Summary

All Methods Static Methods Instance Methods Concrete Methods Deprecated Methods
Modifier and Type	Method	Description
`String`	`applicationProtocol()`	Returns the name of the current application-level protocol.
`void`	`channelActive(ChannelHandlerContext ctx)`	Issues an initial TLS handshake once connected when used in client-mode
`void`	`channelExceptionCaught(ChannelHandlerContext ctx, Throwable cause)`	Gets called if a `Throwable` was thrown when handling inbound events.
`void`	`channelInactive(ChannelHandlerContext ctx)`	The `Channel` of the `ChannelHandlerContext` was registered is now inactive and reached its end of lifetime.
`void`	`channelReadComplete(ChannelHandlerContext ctx)`	Invoked when the last message read by the current read operation has been consumed by `ChannelHandler.channelRead(ChannelHandlerContext, Object)`.
`Future<Void>`	`close(ChannelHandlerContext ctx)`	Called once a close operation is made.
`Future<Void>`	`closeOutbound()`	Sends an SSL `close_notify` message to the specified channel and destroys the underlying `SSLEngine`.
`protected void`	`decode(ChannelHandlerContext ctx, Buffer in)`	Decode the from one `Buffer` to another.
`Future<Void>`	`disconnect(ChannelHandlerContext ctx)`	Called once a disconnect operation is made.
`SSLEngine`	`engine()`	Returns the `SSLEngine` which is used by this handler.
`void`	`flush(ChannelHandlerContext ctx)`	Called once a flush operation is made.
`long`	`getCloseNotifyFlushTimeoutMillis()`	Gets the timeout for flushing the close_notify that was triggered by closing the `Channel`.
`long`	`getCloseNotifyReadTimeoutMillis()`	Gets the timeout (in ms) for receiving the response for the close_notify that was triggered by closing the `Channel`.
`long`	`getCloseNotifyTimeoutMillis()`	Deprecated. use `getCloseNotifyFlushTimeoutMillis()`
`long`	`getHandshakeTimeoutMillis()`
`void`	`handlerAdded0(ChannelHandlerContext ctx)`
`void`	`handlerRemoved0(ChannelHandlerContext ctx)`	Gets called after the `ByteToMessageDecoder` was removed from the actual context and it doesn't handle events anymore.
`Future<Channel>`	`handshakeFuture()`	Returns a `Future` that will get notified once the current TLS handshake completes.
`static boolean`	`isEncrypted(Buffer buffer)`	Returns `true` if the given `Buffer` is encrypted.
`long`	`pendingOutboundBytes(ChannelHandlerContext ctx)`	The number of the outbound bytes that are buffered / queued in this `ChannelHandler`.
`void`	`read(ChannelHandlerContext ctx)`	Intercepts `ChannelHandlerContext.read()`.
`Future<Channel>`	`renegotiate()`	Performs TLS renegotiation.
`Future<Channel>`	`renegotiate(Promise<Channel> promise)`	Performs TLS renegotiation.
`void`	`setCloseNotifyFlushTimeout(long closeNotifyFlushTimeout, TimeUnit unit)`	Sets the timeout for flushing the close_notify that was triggered by closing the `Channel`.
`void`	`setCloseNotifyFlushTimeoutMillis(long closeNotifyFlushTimeoutMillis)`	See `setCloseNotifyFlushTimeout(long, TimeUnit)`.
`void`	`setCloseNotifyReadTimeout(long closeNotifyReadTimeout, TimeUnit unit)`	Sets the timeout for receiving the response for the close_notify that was triggered by closing the `Channel`.
`void`	`setCloseNotifyReadTimeoutMillis(long closeNotifyReadTimeoutMillis)`	See `setCloseNotifyReadTimeout(long, TimeUnit)`.
`void`	`setCloseNotifyTimeout(long closeNotifyTimeout, TimeUnit unit)`	Deprecated. use `setCloseNotifyFlushTimeout(long, TimeUnit)`
`void`	`setCloseNotifyTimeoutMillis(long closeNotifyFlushTimeoutMillis)`	Deprecated. use `setCloseNotifyFlushTimeoutMillis(long)`
`void`	`setHandshakeTimeout(long handshakeTimeout, TimeUnit unit)`
`void`	`setHandshakeTimeoutMillis(long handshakeTimeoutMillis)`
`void`	`setWrapDataSize(int wrapDataSize)`	Sets the number of bytes to pass to each `SSLEngine.wrap(ByteBuffer[], int, int, ByteBuffer)` call.
`Future<Channel>`	`sslCloseFuture()`	Return the `Future` that will get notified if the inbound of the `SSLEngine` is closed.
`Future<Void>`	`write(ChannelHandlerContext ctx, Object msg)`	Called once a write operation is made.

Methods inherited from class io.netty5.handler.codec.ByteToMessageDecoder
actualReadableBytes, channelRead, channelShutdown, decodeLast, discardSomeReadBytes, handlerAdded, handlerRemoved, internalBuffer, isSharable, isSingleDecode, setSingleDecode

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface io.netty5.channel.ChannelHandler
bind, channelInboundEvent, channelRegistered, channelUnregistered, channelWritabilityChanged, connect, deregister, register, sendOutboundEvent, shutdown

- Constructor Detail
  - SslHandler
```
public SslHandler(SSLEngine engine)
```
    Creates a new instance which runs all delegated tasks directly on the EventExecutor.
    
    Parameters:
    
    engine - the SSLEngine this handler will use
  - SslHandler
```
public SslHandler(SSLEngine engine,
                  boolean startTls)
```
    Creates a new instance which runs all delegated tasks directly on the EventExecutor.
    
    Parameters:
    
    engine - the SSLEngine this handler will use
    
    startTls - true if the first write request shouldn't be encrypted by the SSLEngine
  - SslHandler
```
public SslHandler(SSLEngine engine,
                  Executor delegatedTaskExecutor)
```
    Creates a new instance.
    
    Parameters:
    
    engine - the SSLEngine this handler will use
    
    delegatedTaskExecutor - the Executor that will be used to execute tasks that are returned by SSLEngine.getDelegatedTask().
  - SslHandler
```
public SslHandler(SSLEngine engine,
                  boolean startTls,
                  Executor delegatedTaskExecutor)
```
    Creates a new instance.
    
    Parameters:
    
    engine - the SSLEngine this handler will use
    
    startTls - true if the first write request shouldn't be encrypted by the SSLEngine
    
    delegatedTaskExecutor - the Executor that will be used to execute tasks that are returned by SSLEngine.getDelegatedTask().
- Method Detail
  - getHandshakeTimeoutMillis
```
public long getHandshakeTimeoutMillis()
```
  - setHandshakeTimeout
```
public void setHandshakeTimeout(long handshakeTimeout,
                                TimeUnit unit)
```
  - setHandshakeTimeoutMillis
```
public void setHandshakeTimeoutMillis(long handshakeTimeoutMillis)
```
  - setWrapDataSize
```
@UnstableApi
public final void setWrapDataSize(int wrapDataSize)
```
    Sets the number of bytes to pass to each SSLEngine.wrap(ByteBuffer[], int, int, ByteBuffer) call.
    This value will partition data which is passed to write write(ChannelHandlerContext, Object). The partitioning will work as follows:
    
    If wrapDataSize <= 0 then we will write each data chunk as is.
    
    If wrapDataSize > data size then we will attempt to aggregate multiple data chunks together.
    
    If wrapDataSize > data size Else if wrapDataSize <= data size then we will divide the data into chunks of wrapDataSize when writing.
    
    If the SSLEngine doesn't support a gather wrap operation (e.g. SslProvider.OPENSSL) then aggregating data before wrapping can help reduce the ratio between TLS overhead vs data payload which will lead to better goodput. Writing fixed chunks of data can also help target the underlying transport's (e.g. TCP) frame size. Under lossy/congested network conditions this may help the peer get full TLS packets earlier and be able to do work sooner, as opposed to waiting for the all the pieces of the TLS packet to arrive.
    Parameters:
    
    wrapDataSize - the number of bytes which will be passed to each SSLEngine.wrap(ByteBuffer[], int, int, ByteBuffer) call.
  - getCloseNotifyTimeoutMillis
```
@Deprecated
public long getCloseNotifyTimeoutMillis()
```
    Deprecated.
    use getCloseNotifyFlushTimeoutMillis()
  - setCloseNotifyTimeout
```
@Deprecated
public void setCloseNotifyTimeout(long closeNotifyTimeout,
                                  TimeUnit unit)
```
    Deprecated.
    use setCloseNotifyFlushTimeout(long, TimeUnit)
  - setCloseNotifyTimeoutMillis
```
@Deprecated
public void setCloseNotifyTimeoutMillis(long closeNotifyFlushTimeoutMillis)
```
    Deprecated.
    use setCloseNotifyFlushTimeoutMillis(long)
  - getCloseNotifyFlushTimeoutMillis
```
public final long getCloseNotifyFlushTimeoutMillis()
```
    Gets the timeout for flushing the close_notify that was triggered by closing the Channel. If the close_notify was not flushed in the given timeout the Channel will be closed forcibly.
  - setCloseNotifyFlushTimeout
```
public final void setCloseNotifyFlushTimeout(long closeNotifyFlushTimeout,
                                             TimeUnit unit)
```
    Sets the timeout for flushing the close_notify that was triggered by closing the Channel. If the close_notify was not flushed in the given timeout the Channel will be closed forcibly.
  - setCloseNotifyFlushTimeoutMillis
```
public final void setCloseNotifyFlushTimeoutMillis(long closeNotifyFlushTimeoutMillis)
```
    See setCloseNotifyFlushTimeout(long, TimeUnit).
  - getCloseNotifyReadTimeoutMillis
```
public final long getCloseNotifyReadTimeoutMillis()
```
    Gets the timeout (in ms) for receiving the response for the close_notify that was triggered by closing the Channel. This timeout starts after the close_notify message was successfully written to the remote peer. Use 0 to directly close the Channel and not wait for the response.
  - setCloseNotifyReadTimeout
```
public final void setCloseNotifyReadTimeout(long closeNotifyReadTimeout,
                                            TimeUnit unit)
```
    Sets the timeout for receiving the response for the close_notify that was triggered by closing the Channel. This timeout starts after the close_notify message was successfully written to the remote peer. Use 0 to directly close the Channel and not wait for the response.
  - setCloseNotifyReadTimeoutMillis
```
public final void setCloseNotifyReadTimeoutMillis(long closeNotifyReadTimeoutMillis)
```
    See setCloseNotifyReadTimeout(long, TimeUnit).
  - engine
```
public SSLEngine engine()
```
    Returns the SSLEngine which is used by this handler.
  - applicationProtocol
```
public String applicationProtocol()
```
    Returns the name of the current application-level protocol.
    
    Returns:
    
    the protocol name or null if application-level protocol has not been negotiated
  - handshakeFuture
```
public Future<Channel> handshakeFuture()
```
    Returns a Future that will get notified once the current TLS handshake completes.
    
    Returns:
    
    the Future for the initial TLS handshake if renegotiate() was not invoked. The Future for the most recent TLS renegotiation otherwise.
  - closeOutbound
```
public Future<Void> closeOutbound()
```
    Sends an SSL close_notify message to the specified channel and destroys the underlying SSLEngine. This will not close the underlying Channel. If you want to also close the Channel use Channel.close() or ChannelOutboundInvoker.close()
  - sslCloseFuture
```
public Future<Channel> sslCloseFuture()
```
    Return the Future that will get notified if the inbound of the SSLEngine is closed. This method will return the same Future all the time.
    
    See Also:
    
    SSLEngine
  - handlerRemoved0
```
public void handlerRemoved0(ChannelHandlerContext ctx)
                     throws Exception
```
    Description copied from class: ByteToMessageDecoder
    
    Gets called after the ByteToMessageDecoder was removed from the actual context and it doesn't handle events anymore.
    
    Overrides:
    
    handlerRemoved0 in class ByteToMessageDecoder
    
    Throws:
    
    Exception
  - disconnect
```
public Future<Void> disconnect(ChannelHandlerContext ctx)
```
    Description copied from interface: ChannelHandler
    
    Called once a disconnect operation is made.
    
    Parameters:
    
    ctx - the ChannelHandlerContext for which the disconnect operation is made
    
    Returns:
    
    the Future which will be notified once the operation completes.
  - close
```
public Future<Void> close(ChannelHandlerContext ctx)
```
    Description copied from interface: ChannelHandler
    
    Called once a close operation is made.
    
    Parameters:
    
    ctx - the ChannelHandlerContext for which the close operation is made
    
    Returns:
    
    the Future which will be notified once the operation completes.
  - read
```
public void read(ChannelHandlerContext ctx)
```
    Description copied from interface: ChannelHandler
    
    Intercepts ChannelHandlerContext.read().
  - write
```
public Future<Void> write(ChannelHandlerContext ctx,
                          Object msg)
```
    Description copied from interface: ChannelHandler
    
    Called once a write operation is made. The write operation will write the messages through the ChannelPipeline. Those are then ready to be flushed to the actual Channel once Channel.flush() is called.
    
    Parameters:
    
    ctx - the ChannelHandlerContext for which the write operation is made
    
    msg - the message to write
    
    Returns:
    
    the Future which will be notified once the operation completes.
  - flush
```
public void flush(ChannelHandlerContext ctx)
```
    Description copied from interface: ChannelHandler
    
    Called once a flush operation is made. The flush operation will try to flush out all previous written messages that are pending.
    
    Parameters:
    
    ctx - the ChannelHandlerContext for which the flush operation is made
  - channelInactive
```
public void channelInactive(ChannelHandlerContext ctx)
                     throws Exception
```
    Description copied from interface: ChannelHandler
    
    The Channel of the ChannelHandlerContext was registered is now inactive and reached its end of lifetime.
    
    Specified by:
    
    channelInactive in interface ChannelHandler
    
    Overrides:
    
    channelInactive in class ByteToMessageDecoder
    
    Throws:
    
    Exception
  - channelExceptionCaught
```
public void channelExceptionCaught(ChannelHandlerContext ctx,
                                   Throwable cause)
                            throws Exception
```
    Description copied from interface: ChannelHandler
    
    Gets called if a Throwable was thrown when handling inbound events.
    
    Throws:
    
    Exception
  - isEncrypted
```
public static boolean isEncrypted(Buffer buffer)
```
    Returns true if the given Buffer is encrypted. Be aware that this method will not increase the readerIndex of the given Buffer.
    
    Parameters:
    
    buffer - The Buffer to read from. Be aware that it must have at least 5 bytes to read, otherwise it will throw an IllegalArgumentException.
    
    Returns:
    
    encrypted true if the Buffer is encrypted, false otherwise.
    
    Throws:
    
    IllegalArgumentException - Is thrown if the given Buffer has not at least 5 bytes to read.
  - decode
```
protected void decode(ChannelHandlerContext ctx,
                      Buffer in)
               throws SSLException
```
    Description copied from class: ByteToMessageDecoder
    
    Decode the from one Buffer to another. This method will be called till either the input Buffer has nothing to read when return from this method or till nothing was read from the input Buffer.
    
    Specified by:
    
    decode in class ByteToMessageDecoder
    
    Parameters:
    
    ctx - the ChannelHandlerContext which this ByteToMessageDecoder belongs to
    
    in - the Buffer from which to read data
    
    Throws:
    
    SSLException
  - channelReadComplete
```
public void channelReadComplete(ChannelHandlerContext ctx)
                         throws Exception
```
    Description copied from interface: ChannelHandler
    
    Invoked when the last message read by the current read operation has been consumed by ChannelHandler.channelRead(ChannelHandlerContext, Object). If ChannelOption.AUTO_READ is off, no further attempt to read an inbound data from the current Channel will be made until ChannelHandlerContext.read() is called.
    
    Specified by:
    
    channelReadComplete in interface ChannelHandler
    
    Overrides:
    
    channelReadComplete in class ByteToMessageDecoder
    
    Throws:
    
    Exception
  - handlerAdded0
```
public void handlerAdded0(ChannelHandlerContext ctx)
                   throws Exception
```
    Overrides:
    
    handlerAdded0 in class ByteToMessageDecoder
    
    Throws:
    
    Exception
  - renegotiate
```
public Future<Channel> renegotiate()
```
    Performs TLS renegotiation.
  - renegotiate
```
public Future<Channel> renegotiate(Promise<Channel> promise)
```
    Performs TLS renegotiation.
  - channelActive
```
public void channelActive(ChannelHandlerContext ctx)
                   throws Exception
```
    Issues an initial TLS handshake once connected when used in client-mode
    
    Throws:
    
    Exception
  - pendingOutboundBytes
```
public long pendingOutboundBytes(ChannelHandlerContext ctx)
```
    Description copied from interface: ChannelHandler
    
    The number of the outbound bytes that are buffered / queued in this ChannelHandler. This number will affect the writability of the Channel together the buffered / queued bytes in the Channel itself. By default this methods returns 0. If the ChannelHandler implementation buffers / queues outbound data this methods should be implemented to return the correct value.
    
    Parameters:
    
    ctx - the ChannelHandlerContext for which the operation is made.
    
    Returns:
    
    the number of buffered / queued bytes.

Class SslHandler

Beginning the handshake

Handshake

Closing the session

Restarting the session

Implementing StartTLS

Known issues

Nested Class Summary

Nested classes/interfaces inherited from class io.netty5.handler.codec.ByteToMessageDecoder

Field Summary

Fields inherited from class io.netty5.handler.codec.ByteToMessageDecoder

Constructor Summary

Method Summary

Methods inherited from class io.netty5.handler.codec.ByteToMessageDecoder

Methods inherited from class java.lang.Object

Methods inherited from interface io.netty5.channel.ChannelHandler

Constructor Detail

SslHandler

SslHandler

SslHandler

SslHandler

Method Detail

getHandshakeTimeoutMillis

setHandshakeTimeout

setHandshakeTimeoutMillis

setWrapDataSize

getCloseNotifyTimeoutMillis

setCloseNotifyTimeout

setCloseNotifyTimeoutMillis

getCloseNotifyFlushTimeoutMillis

setCloseNotifyFlushTimeout

setCloseNotifyFlushTimeoutMillis

getCloseNotifyReadTimeoutMillis

setCloseNotifyReadTimeout

setCloseNotifyReadTimeoutMillis

engine

applicationProtocol

handshakeFuture

closeOutbound

sslCloseFuture

handlerRemoved0

disconnect

close

read

write

flush

channelInactive

channelExceptionCaught

isEncrypted

decode

channelReadComplete

handlerAdded0

renegotiate

renegotiate

channelActive

pendingOutboundBytes