[JDK 8] Code review request 7188657, There should be a way to reorder the JSSE ciphers
Xuelei Fan
xuelei.fan at oracle.com
Fri Aug 30 08:04:05 UTC 2013
On 8/30/2013 3:52 PM, Florian Weimer wrote:
> On 08/28/2013 12:43 PM, Xuelei Fan wrote:
>
>> It is the initial motivation to update the behavior of server cipher
>> suite selection. However, we noted that we never specify the ordering
>> of cipher suites in ClientHello message. Although Oracle provider honor
>> the order of SSLParameters.getCipherSuites() for year, but we never say
>> how actually do it. It's good time to specify the ordering in client
>> side also in this update.
>>
>> This API will not impact client behavior of Oracle provider. However,
>> it can be an instinctive guide for third party's provider
>> implementation, and a clear spec for application to enforce the cipher
>> suites ordering.
>
> Ah, so for clients, there are two or three unknowns affecting the cipher
> suite selection: the JSSE provider might reorder the suites prior to
> transmission, the server might not support the requested algorithms with
> the highest priority, or it might prioritize its choice of algorithm not
> based on the order of received cipher suites, but some other criterion.
>
True. Anyway, the server cannot select a cipher suite out of the
requested list.
> On the server side, the JSSE provider might ignore the new parameter.
>
> Is it possible to include this information in the Javadoc, without
> making it part of the specification? This looks like useful information
> to me.
>
Yes, should have a section in JSSE Reference Guide to describe the
impact of this parameter.
Thanks,
Xuelei
More information about the security-dev
mailing list