2014-08-01 12:34 GMT+02:00 Mark Thomas <ma...@apache.org>: > On 31/07/2014 22:50, Mark Thomas wrote: > > I'm beginning to think that this feature is more effort than it is worth. > > <snip/> > > > The expected behaviour of this code is that for any given specification: > > - passing it through OpenSSL and mapping the resulting ciphers to those > > supported by the current JRE; and > > - passing it through this parser > > > > gives the same set of JSSE ciphers in the same order. > > > > Every time this doesn't happen we have a potential security issue since > > a weaker than intended cipher may be enabled. The incorrect handling of > > "ALL" that I have just fixed is an obvious example of such an issue. > > Actually it is worse than that. Any difference is a potential security > issue as aliases may be used for inclusion and exclusion. Any > differences in the results for an alias could result in a cipher being > enabled that shouldn't be. > > Well, it can be disabled easily by reverting back to the old default in the endpoint. Sorry for all the defects, the code that was submitted was supposed to be fine ;)
If you think the feature is too complex and doesn't provide enough benefit, it can also be removed altogether. Rémy