There should be a way to reorder the JSSE ciphers

Bernd Eckenfels bernd-2013 at eckenfels.net
Wed Aug 7 06:54:15 UTC 2013


Hello,

Am 07.08.2013 um 08:09 schrieb Matthew Hall <mhall at mhcomputing.net>:

> This sounds good in theory but when you work in an Internet scale content 
> provider it breaks things when the client can pick bad ciphers and the server 
> just allows it to happen like in default Java up until now.

Well yes, if you think there is a bad cipher in the default enabled suite then it is good to disable it (The default enabled list is better these days). You can do that without setting a new boolean flag which is ignored by the default implementation.

I am not arguing about more flexibility in the configuration of cipher selection. if you have a smarter JSSE implementation then this is also good. 

I think both dont need an additional boolean switch.

If the JDK JSSE implementation will offer different server side stategies to pick the cipher it would be most helpfull to have a (string) option to specify the strategy. This option name can be standadized and others then can pick it up as well. You could even specify "RFC" and "ServerOrder" as the two mandatory supported options.

Greetings
Bernd



More information about the security-dev mailing list