[JDK 8] Code review request 7188657, There should be a way to reorder the JSSE ciphers

Xuelei Fan xuelei.fan at oracle.com
Fri Aug 30 01:04:05 PDT 2013


On 8/30/2013 3:52 PM, Florian Weimer wrote:
> On 08/28/2013 12:43 PM, Xuelei Fan wrote:
> 
>> It is the initial motivation to update the behavior of server cipher
>> suite selection.  However, we noted that we never specify the ordering
>> of cipher suites in ClientHello message.  Although Oracle provider honor
>> the order of SSLParameters.getCipherSuites() for year, but we never say
>> how actually do it.  It's good time to specify the ordering in client
>> side also in this update.
>>
>> This API will not impact client behavior of Oracle provider.  However,
>> it can be an instinctive guide for third party's provider
>> implementation, and a clear spec for application to enforce the cipher
>> suites ordering.
> 
> Ah, so for clients, there are two or three unknowns affecting the cipher
> suite selection: the JSSE provider might reorder the suites prior to
> transmission, the server might not support the requested algorithms with
> the highest priority, or it might prioritize its choice of algorithm not
> based on the order of received cipher suites, but some other criterion.
> 
True.  Anyway, the server cannot select a cipher suite out of the
requested list.

> On the server side, the JSSE provider might ignore the new parameter.
> 
> Is it possible to include this information in the Javadoc, without
> making it part of the specification?  This looks like useful information
> to me.
> 
Yes, should have a section in JSSE Reference Guide to describe the
impact of this parameter.

Thanks,
Xuelei


More information about the security-dev mailing list