[JDK 8] Code review request 7188657, There should be a way to reorder the JSSE ciphers
Xuelei Fan
xuelei.fan at oracle.com
Wed Aug 28 10:43:06 UTC 2013
On 8/28/2013 5:57 PM, Florian Weimer wrote:
> On 08/28/2013 11:02 AM, Xuelei Fan wrote:
>> Hi,
>>
>> Please review this update to support cipher suites reorder:
>>
>> webrev: http://cr.openjdk.java.net/~xuelei/7188657/webrev.00/
>>
>> Two new methods are added to SSLParameters:
>> public final void setUseCipherSuitesOrder(boolean honorOrder);
>> public final boolean getUseCipherSuitesOrder();
>>
>> If SSLParameters.getUseCipherSuitesOrder() return true, the local cipher
>> suites order returned in SSLParameters.getCipherSuites() should be
>> honored during SSL/TLS handshaking.
>
> The documentation should say this parameter only applies to the server
> side because that's the party that picks the cipher suite.
>
It is the initial motivation to update the behavior of server cipher
suite selection. However, we noted that we never specify the ordering
of cipher suites in ClientHello message. Although Oracle provider honor
the order of SSLParameters.getCipherSuites() for year, but we never say
how actually do it. It's good time to specify the ordering in client
side also in this update.
This API will not impact client behavior of Oracle provider. However,
it can be an instinctive guide for third party's provider
implementation, and a clear spec for application to enforce the cipher
suites ordering.
> I wonder if an enum (with members LOCAL and PEER, and perhaps
> UNSPECIFIED) would be more appropriate than a boolean flag.
I understand your concerns. It's pretty confusing when one think
SSLParameters in both client and server sides. The confusing happens
not only on this pair of methods, but also on some old methods, for
example s/getProtocols().
But I think if we think the method from one side, client or server, each
time, the meaning may be easy to understand. In client side,
setUseCipherSuitesOrder() means to honor the local/client cipher suites
order; In server side, setUseCipherSuitesOrder() means to honor the
local/server cipher suites order.
Per your suggestion, as PEER cannot apply to client side, it might be a
little confusing for client side application developers.
Thanks for the support!
Regards,
Xuelei
More information about the security-dev
mailing list