There should be a way to reorder the JSSE ciphers

Xuelei Fan xuelei.fan at oracle.com
Wed Aug 7 00:18:02 PDT 2013


On 8/7/2013 2:57 PM, Matthew Hall wrote:
> On Wed, Aug 07, 2013 at 08:54:15AM +0200, Bernd Eckenfels wrote:
>> Well yes, if you think there is a bad cipher in the default enabled suite 
>> then it is good to disable it (The default enabled list is better these 
>> days). You can do that without setting a new boolean flag which is ignored 
>> by the default implementation.
> 
> I don't think disabling ciphers on the server side works that great in Java 
> since the client can still screw up the ordering. I have seen some bugs from 
> this myself, regardless what it might claim in the RFC.
> 
>> If the JDK JSSE implementation will offer different server side stategies to 
>> pick the cipher it would be most helpfull to have a (string) option to 
>> specify the strategy. This option name can be standadized and others then 
>> can pick it up as well. You could even specify "RFC" and "ServerOrder" as 
>> the two mandatory supported options.
> 
> Yes, I agree with your and others' suggestions on this. It should use Enum or 
> String or even Integer constants of some sort instead of anything hard-coded 
> like invididual Booleans.
> 
hard-coded?  I did not catch the idea.  It was proposed to define a new
method:

    SSLParameters.setUseCipherSuitesOrder(boolean on);

I was considering to use enum as Sean suggested.  Both String and
integer is not accept to me because they are pretty easy to get used
incorrectly.

Anyway, I think we all agree we need public method/interface to
configure the behavior that server can select cipher suites on its own
preference.

Xuelei
>> Greetings
>> Bernd
> 
> Matthew.
> 



More information about the security-dev mailing list