On Wed, Aug 07, 2013 at 08:54:15AM +0200, Bernd Eckenfels wrote: > Well yes, if you think there is a bad cipher in the default enabled suite > then it is good to disable it (The default enabled list is better these > days). You can do that without setting a new boolean flag which is ignored > by the default implementation.
I don't think disabling ciphers on the server side works that great in Java since the client can still screw up the ordering. I have seen some bugs from this myself, regardless what it might claim in the RFC. > If the JDK JSSE implementation will offer different server side stategies to > pick the cipher it would be most helpfull to have a (string) option to > specify the strategy. This option name can be standadized and others then > can pick it up as well. You could even specify "RFC" and "ServerOrder" as > the two mandatory supported options. Yes, I agree with your and others' suggestions on this. It should use Enum or String or even Integer constants of some sort instead of anything hard-coded like invididual Booleans. > Greetings > Bernd Matthew.
