There should be a way to reorder the JSSE ciphers
Xuelei Fan
xuelei.fan at oracle.com
Wed Aug 7 07:18:02 UTC 2013
On 8/7/2013 2:57 PM, Matthew Hall wrote:
> On Wed, Aug 07, 2013 at 08:54:15AM +0200, Bernd Eckenfels wrote:
>> Well yes, if you think there is a bad cipher in the default enabled suite
>> then it is good to disable it (The default enabled list is better these
>> days). You can do that without setting a new boolean flag which is ignored
>> by the default implementation.
>
> I don't think disabling ciphers on the server side works that great in Java
> since the client can still screw up the ordering. I have seen some bugs from
> this myself, regardless what it might claim in the RFC.
>
>> If the JDK JSSE implementation will offer different server side stategies to
>> pick the cipher it would be most helpfull to have a (string) option to
>> specify the strategy. This option name can be standadized and others then
>> can pick it up as well. You could even specify "RFC" and "ServerOrder" as
>> the two mandatory supported options.
>
> Yes, I agree with your and others' suggestions on this. It should use Enum or
> String or even Integer constants of some sort instead of anything hard-coded
> like invididual Booleans.
>
hard-coded? I did not catch the idea. It was proposed to define a new
method:
SSLParameters.setUseCipherSuitesOrder(boolean on);
I was considering to use enum as Sean suggested. Both String and
integer is not accept to me because they are pretty easy to get used
incorrectly.
Anyway, I think we all agree we need public method/interface to
configure the behavior that server can select cipher suites on its own
preference.
Xuelei
>> Greetings
>> Bernd
>
> Matthew.
>
More information about the security-dev
mailing list