There should be a way to reorder the JSSE ciphers

Sean Mullan sean.mullan at oracle.com
Tue Aug 6 17:25:41 UTC 2013


On 08/06/2013 10:21 AM, Sean Mullan wrote:
> It might be useful to add a more general method to set boolean options
> like this. For example:
>
> public final void setOptions(Set<Option> options)
> public final Option getOptions()

oops, above should be:

public final Set<Option> getOptions()

--Sean

>
> SSLParameters.Option is an enum:
>
> public enum SSLParameters.Option {
>      ENFORCE_CIPHER_SUITE_ORDER,
>      // alternate ways to specify client auth
>      NEED_CLIENT_AUTH,
>      WANT_CLIENT_AUTH
> }
>
> The nice part about this is that you can easily add new options in the
> future and providers can cycle through the set of options and throw an
> exception for any that they don't yet support.
>
> --Sean
>
> On 08/05/2013 06:53 PM, Xuelei Fan wrote:
>> Hi,
>>
>> We are thinking about to support cipher suites preference in JSSE by
>> defining new methods in javax.net.ssl.SSLParameters.
>>
>> ----------------------------------------------------
>> +    /**
>> +     * Sets whether the cipher suites preference should be honored.
>> +     *
>> +     * @param on whether local cipher suites order in
>> +     *         {@code #getCipherSuites}
>> +     *        should be honored during SSL/TLS handshaking.
>> +     */
>> +    public final void setUseCipherSuitesOrder(boolean on);
>>
>>
>> +    /**
>> +     * Returns whether the cipher suites preference should be honored.
>> +     *
>> +     * @return whether local cipher suites order in
>> +               {@code #getCipherSuites}
>> +     *         should be honored during SSL/TLS handshaking.
>> +     */
>> +    public final boolean getUseCipherSuitesOrder();
>> ----------------------------------------------------
>>
>>
>> By default, Oracle JSSE provider still honors the client's preference.
>> The behavior can be changed by calling
>> SSLParameters.setUseCipherSuitesOrder(true) in server side.
>>
>> We have had the cipher suites preference ordering in client side for
>> many years, but we never said how to actually do it in specification and
>> JSSE Reference Guide.  With this update, the client side can enforce to
>> honor cipher suite preference with the new method,
>> SSLParameters.setUseCipherSuitesOrder(true).  Other providers should
>> also comply with this specification.
>>
>> Any feedback are welcome.
>>
>> Thanks,
>> Xuelei
>>
>




More information about the security-dev mailing list