There should be a way to reorder the JSSE ciphers

Xuelei Fan xuelei.fan at oracle.com
Mon Aug 12 02:04:12 UTC 2013 

On 8/7/2013 1:21 AM, Sean Mullan wrote:
> It might be useful to add a more general method to set boolean options
> like this. For example:
> 
> public final void setOptions(Set<Option> options)
> public final Set<Option> getOptions()
> 
> SSLParameters.Option is an enum:
> 
> public enum SSLParameters.Option {
>     ENFORCE_CIPHER_SUITE_ORDER,
>     // alternate ways to specify client auth
>     NEED_CLIENT_AUTH,
>     WANT_CLIENT_AUTH
> }
> 
The difficult part of SSLParameters is that every attribute has default
value, which can be got from SSLSocket/SSLEngine.getSSLParameters().
That's to say, every option would have three kinds of value: true,
false, and the default one.  As make it hard to use enum parameter.

Consider the example, if the set has one option, WANT_CLIENT_AUTH, it is
the same as:

    SSLParameters.setWantClientAuth(true);

What's the expected value of the ENFORCE_CIPHER_SUITE_ORDER and
NEED_CLIENT_AUTH?   It can be specified to use "false".  Then, there is
no way to use the default value any more.  If it is specified to use
default value, no way to use "false" value any more.  It's ambiguous.

In the long run, I was wondering to replace SSLParameters with a set of
pair (option, value).  For example,
    {
        {ENFORCE_CIPHER_SUITE_ORDER, "true"},
        {WANT_CLIENT_AUTH,           "false"},
        {CIPHER_SUITES,              {CS1, CS2, ...}}
    }

However, the refactoring needs significant efforts. I won't want
consider it in this improvement.

Thanks,
Xuelei

> The nice part about this is that you can easily add new options in the
> future and providers can cycle through the set of options and throw an
> exception for any that they don't yet support.
> 
> --Sean
> 
> On 08/05/2013 06:53 PM, Xuelei Fan wrote:
>> Hi,
>>
>> We are thinking about to support cipher suites preference in JSSE by
>> defining new methods in javax.net.ssl.SSLParameters.
>>
>> ----------------------------------------------------
>> +    /**
>> +     * Sets whether the cipher suites preference should be honored.
>> +     *
>> +     * @param on whether local cipher suites order in
>> +     *         {@code #getCipherSuites}
>> +     *        should be honored during SSL/TLS handshaking.
>> +     */
>> +    public final void setUseCipherSuitesOrder(boolean on);
>>
>>
>> +    /**
>> +     * Returns whether the cipher suites preference should be honored.
>> +     *
>> +     * @return whether local cipher suites order in
>> +               {@code #getCipherSuites}
>> +     *         should be honored during SSL/TLS handshaking.
>> +     */
>> +    public final boolean getUseCipherSuitesOrder();
>> ----------------------------------------------------
>>
>>
>> By default, Oracle JSSE provider still honors the client's preference.
>> The behavior can be changed by calling
>> SSLParameters.setUseCipherSuitesOrder(true) in server side.
>>
>> We have had the cipher suites preference ordering in client side for
>> many years, but we never said how to actually do it in specification and
>> JSSE Reference Guide.  With this update, the client side can enforce to
>> honor cipher suite preference with the new method,
>> SSLParameters.setUseCipherSuitesOrder(true).  Other providers should
>> also comply with this specification.
>>
>> Any feedback are welcome.
>>
>> Thanks,
>> Xuelei
>>
>

More information about the security-dev mailing list