See: Description
| Class | Description |
|---|---|
| NetPhantomCipherSuites |
This class builds a table of available cipher (suites) that are
used with SSL.
|
| NetPhantomJSSEServerSocket |
ServerSocketInterface2 is used by servers to listen for requests from
clients for [SSL] socket connections.
|
This package provides the JSSE-based SSL/TLS implementation used by NetPhantom's socket layer to secure client connections. It handles server certificate management (including multiple identities and Let's Encrypt ACME certificates), SNI-based certificate selection, client certificate authentication with per-access-control allow/revoke lists, CRL processing, cipher suite strength classification, and SSL session renegotiation.
| Class | Role |
|---|---|
NetPhantomJSSEServerSocket |
Core SSL server socket implementation. Implements
ServerSocketInterface3 and
X509TrustManager. Manages PKCS#12 keystore
loading (single or merged multi-identity), SSL context creation,
protocol/cipher configuration from INI file settings, session cache
tuning, client certificate trust verification, CRL checking, and
per-access-control certificate allow/revoke lists. |
SNIX509ExtendedKeyManager |
SNI-aware key manager that selects the appropriate server certificate
based on the hostname requested by the client during the TLS handshake.
Wraps the default X509ExtendedKeyManager and
consults DomainNameMatcher for the SNI hostname, then matches
it against X509Info certificate records. |
DomainNameMatcher |
SNIMatcher implementation that accepts all
SNI HostName requests and stores the hostname per-thread for later
retrieval by the key manager during certificate selection. |
X509Info |
Extracts and stores host names and wildcard names from X.509 certificates (Subject Alternative Names and CN), and provides SNI hostname matching with support for wildcards and Internationalized Domain Names (IDN). |
NetPhantomCipherSuites |
Cipher suite and protocol classification utility. Categorizes suites as
strong or weak based on known weak-suite lists, recommended-suite lists,
and pattern matching (anonymous, NULL, RC4, DES, export-grade, etc.).
Provides effective key bit-length calculation and a main() method
for JVM cipher diagnostics. |
When multiple server identities are configured (multiple PKCS#12 files and/or Let's Encrypt domains), SNI-based certificate selection is activated:
DomainNameMatcher captures the SNI hostname per-thread during
the TLS ClientHello.SNIX509ExtendedKeyManager queries the matcher for the hostname
and iterates the X509Info records to find a certificate whose
Subject Alternative Names or CN match (including wildcard and IDN).Client certificates are verified through multiple mechanisms during
checkClientTrusted():
crls/ directory. Multiple CRLs from the same
issuer are merged, keeping the earliest revocation date.revokedcerts/<accessControl>/ are checked.clientcerts/<accessControl>/.NetPhantomCipherSuites classifies cipher suites as weak if they
use SSL, anonymous key exchange, NULL encryption, RC4, static DH, 3DES, DES,
export-grade, ARIA, Camellia, SHA-1 only MACs, MD5, or appear in the
explicit weak-suites list from SSLLabs/ciphersuite.info. Suites using ECDHE,
ECDSA, ChaCha20, or AES-GCM are classified as strong. The renegotiation
signaling cipher suite is always treated as strong.
SSL settings are read from a named section in the server INI file.
Key parameters include: identityFile (comma-separated PKCS#12 paths),
identityUser (matching admin user IDs for passwords),
caCertificates (CA cert files for client auth trust),
cipherSuites (comma-separated suite names),
suppressTLSv1 / suppressTLSv1.1 / suppressTLSv1.3
(protocol toggles, TLSv1 and TLSv1.1 suppressed by default),
sessionCacheCapacity, sessionCacheTimeout,
honorCipherSuitesOrder, and sslDebug.
(C) Copyright Mindus SARL, 2026. All rights reserved.
ServerSocketInterface3,
SocketClientConnectionListener,
LetsEncryptDomainPhantom® and NetPhantom® are registered trademarks of Mindus SARL.
© 2026 Mindus SARL. All rights reserved.