On 08/28/2013 12:43 PM, Xuelei Fan wrote:
It is the initial motivation to update the behavior of server cipher
suite selection. However, we noted that we never specify the ordering
of cipher suites in ClientHello message. Although Oracle provider honor
the order of SSLParameters.getCipherSuites() for year, but we never say
how actually do it. It's good time to specify the ordering in client
side also in this update.
This API will not impact client behavior of Oracle provider. However,
it can be an instinctive guide for third party's provider
implementation, and a clear spec for application to enforce the cipher
suites ordering.
Ah, so for clients, there are two or three unknowns affecting the cipher
suite selection: the JSSE provider might reorder the suites prior to
transmission, the server might not support the requested algorithms with
the highest priority, or it might prioritize its choice of algorithm not
based on the order of received cipher suites, but some other criterion.
On the server side, the JSSE provider might ignore the new parameter.
Is it possible to include this information in the Javadoc, without
making it part of the specification? This looks like useful information
to me.
--
Florian Weimer / Red Hat Product Security Team
