There should be a way to reorder the JSSE ciphers

Matthew Hall mhall at mhcomputing.net
Wed Aug 7 06:57:30 UTC 2013


On Wed, Aug 07, 2013 at 08:54:15AM +0200, Bernd Eckenfels wrote:
> Well yes, if you think there is a bad cipher in the default enabled suite 
> then it is good to disable it (The default enabled list is better these 
> days). You can do that without setting a new boolean flag which is ignored 
> by the default implementation.

I don't think disabling ciphers on the server side works that great in Java 
since the client can still screw up the ordering. I have seen some bugs from 
this myself, regardless what it might claim in the RFC.

> If the JDK JSSE implementation will offer different server side stategies to 
> pick the cipher it would be most helpfull to have a (string) option to 
> specify the strategy. This option name can be standadized and others then 
> can pick it up as well. You could even specify "RFC" and "ServerOrder" as 
> the two mandatory supported options.

Yes, I agree with your and others' suggestions on this. It should use Enum or 
String or even Integer constants of some sort instead of anything hard-coded 
like invididual Booleans.

> Greetings
> Bernd

Matthew.



More information about the security-dev mailing list