[JDK 8] Code review request 7188657, There should be a way to reorder the JSSE ciphers

Florian Weimer fweimer at redhat.com
Fri Aug 30 07:52:09 UTC 2013


On 08/28/2013 12:43 PM, Xuelei Fan wrote:

> It is the initial motivation to update the behavior of server cipher
> suite selection.  However, we noted that we never specify the ordering
> of cipher suites in ClientHello message.  Although Oracle provider honor
> the order of SSLParameters.getCipherSuites() for year, but we never say
> how actually do it.  It's good time to specify the ordering in client
> side also in this update.
>
> This API will not impact client behavior of Oracle provider.  However,
> it can be an instinctive guide for third party's provider
> implementation, and a clear spec for application to enforce the cipher
> suites ordering.

Ah, so for clients, there are two or three unknowns affecting the cipher 
suite selection: the JSSE provider might reorder the suites prior to 
transmission, the server might not support the requested algorithms with 
the highest priority, or it might prioritize its choice of algorithm not 
based on the order of received cipher suites, but some other criterion.

On the server side, the JSSE provider might ignore the new parameter.

Is it possible to include this information in the Javadoc, without 
making it part of the specification?  This looks like useful information 
to me.

-- 
Florian Weimer / Red Hat Product Security Team



More information about the security-dev mailing list