On 8/28/2013 5:57 PM, Florian Weimer wrote: > On 08/28/2013 11:02 AM, Xuelei Fan wrote: >> Hi, >> >> Please review this update to support cipher suites reorder: >> >> webrev: http://cr.openjdk.java.net/~xuelei/7188657/webrev.00/ >> >> Two new methods are added to SSLParameters: >> public final void setUseCipherSuitesOrder(boolean honorOrder); >> public final boolean getUseCipherSuitesOrder(); >> >> If SSLParameters.getUseCipherSuitesOrder() return true, the local cipher >> suites order returned in SSLParameters.getCipherSuites() should be >> honored during SSL/TLS handshaking. > > The documentation should say this parameter only applies to the server > side because that's the party that picks the cipher suite. > It is the initial motivation to update the behavior of server cipher suite selection. However, we noted that we never specify the ordering of cipher suites in ClientHello message. Although Oracle provider honor the order of SSLParameters.getCipherSuites() for year, but we never say how actually do it. It's good time to specify the ordering in client side also in this update.
This API will not impact client behavior of Oracle provider. However, it can be an instinctive guide for third party's provider implementation, and a clear spec for application to enforce the cipher suites ordering. > I wonder if an enum (with members LOCAL and PEER, and perhaps > UNSPECIFIED) would be more appropriate than a boolean flag. I understand your concerns. It's pretty confusing when one think SSLParameters in both client and server sides. The confusing happens not only on this pair of methods, but also on some old methods, for example s/getProtocols(). But I think if we think the method from one side, client or server, each time, the meaning may be easy to understand. In client side, setUseCipherSuitesOrder() means to honor the local/client cipher suites order; In server side, setUseCipherSuitesOrder() means to honor the local/server cipher suites order. Per your suggestion, as PEER cannot apply to client side, it might be a little confusing for client side application developers. Thanks for the support! Regards, Xuelei