protected SSLEngine createSSLEngine(String sniHostName, List<Cipher> clientRequestedCiphers) { SSLHostConfig sslHostConfig = getSSLHostConfig(sniHostName); SSLHostConfigCertificate certificate = selectCertificate(sslHostConfig, clientRequestedCiphers); SSLContextWrapper sslContextWrapper = certificate.getSslContextWrapper(); if (sslContextWrapper == null) { throw new IllegalStateException(sm.getString("endpoint.jsse.noSslContext", sniHostName)); } SSLEngine engine = sslContextWrapper.getSSLContext().createSSLEngine(); switch (sslHostConfig.getCertificateVerification()) { case NONE: engine.setNeedClientAuth(false); engine.setWantClientAuth(false); break; case OPTIONAL: case OPTIONAL_NO_CA: engine.setWantClientAuth(true); break; case REQUIRED: engine.setNeedClientAuth(true); break; } engine.setUseClientMode(false); engine.setEnabledCipherSuites(sslContextWrapper.getEnabledCiphers()); engine.setEnabledProtocols(sslContextWrapper.getEnabledProtocols()); SSLParameters sslParameters = engine.getSSLParameters(); sslParameters.setUseCipherSuitesOrder(sslHostConfig.getHonorCipherOrder()); // In case the getter returns a defensive copy engine.setSSLParameters(sslParameters); return engine; }