On 8/30/2013 3:52 PM, Florian Weimer wrote: > On 08/28/2013 12:43 PM, Xuelei Fan wrote: > >> It is the initial motivation to update the behavior of server cipher >> suite selection. However, we noted that we never specify the ordering >> of cipher suites in ClientHello message. Although Oracle provider honor >> the order of SSLParameters.getCipherSuites() for year, but we never say >> how actually do it. It's good time to specify the ordering in client >> side also in this update. >> >> This API will not impact client behavior of Oracle provider. However, >> it can be an instinctive guide for third party's provider >> implementation, and a clear spec for application to enforce the cipher >> suites ordering. > > Ah, so for clients, there are two or three unknowns affecting the cipher > suite selection: the JSSE provider might reorder the suites prior to > transmission, the server might not support the requested algorithms with > the highest priority, or it might prioritize its choice of algorithm not > based on the order of received cipher suites, but some other criterion. > True. Anyway, the server cannot select a cipher suite out of the requested list.
> On the server side, the JSSE provider might ignore the new parameter. > > Is it possible to include this information in the Javadoc, without > making it part of the specification? This looks like useful information > to me. > Yes, should have a section in JSSE Reference Guide to describe the impact of this parameter. Thanks, Xuelei
