[JDK 8] Code review request 7188657, There should be a way to reorder the JSSE ciphers
Florian Weimer
fweimer at redhat.com
Fri Aug 30 07:52:09 UTC 2013
On 08/28/2013 12:43 PM, Xuelei Fan wrote:
> It is the initial motivation to update the behavior of server cipher
> suite selection. However, we noted that we never specify the ordering
> of cipher suites in ClientHello message. Although Oracle provider honor
> the order of SSLParameters.getCipherSuites() for year, but we never say
> how actually do it. It's good time to specify the ordering in client
> side also in this update.
>
> This API will not impact client behavior of Oracle provider. However,
> it can be an instinctive guide for third party's provider
> implementation, and a clear spec for application to enforce the cipher
> suites ordering.
Ah, so for clients, there are two or three unknowns affecting the cipher
suite selection: the JSSE provider might reorder the suites prior to
transmission, the server might not support the requested algorithms with
the highest priority, or it might prioritize its choice of algorithm not
based on the order of received cipher suites, but some other criterion.
On the server side, the JSSE provider might ignore the new parameter.
Is it possible to include this information in the Javadoc, without
making it part of the specification? This looks like useful information
to me.
--
Florian Weimer / Red Hat Product Security Team
More information about the security-dev
mailing list