-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark,
On 5/25/16 10:38 AM, Mark Thomas wrote: > On 25/05/2016 15:17, Utkarsh Dave wrote: >> Hello Mark, >> >> I have a question for SSL Support - BIO and NIO. It is mention >> that useServerCipherSuitesOrder can be used with Java 8 only So >> is there a way (in java 7 and BIO and NIO support ) or another >> parameter we can use with "ciphers" to force client follow the >> order of ciphers. > > No. > >> The JSSE implementation guide documents that the client tells the >> server which cipher suites it has available, and the server >> chooses the best mutually acceptable cipher suite. > > Then the JSSE implementation guide is wrong. The client presents > the ciphers it supports in client preference order and the server > picks the first one it can support. No, it doesn't. The server is free to choose whatever cipher is mutually-supported. Unless "honor server cipher ordering" is enabled, most servers will choose the first cipher presented by the client. The tradition of using the client's favorite cipher suite is just that: a tradition. It's not in the spec at all: " The cipher suite list, passed from the client to the server in the ClientHello message, contains the combinations of cryptographic algorithms supported by the client in order of the client's preference (favorite choice first). Each cipher suite defines a key exchange algorithm, a bulk encryption algorithm (including secret key length), a MAC algorithm, and a PRF. The server will select a cipher suite or, if no acceptable choices are presented, return a handshake failure alert and close the connection. If the list contains cipher suites the server does not recognize, support, or wish to use, the server MUST ignore those cipher suites, and process the remaining ones as usual. " (https://tools.ietf.org/html/rfc5246#page-40) The problem here is the definition of "best". If the JSSE implementation guide thinks that "best" is "most preferred by the client" then it will choose the first mutually-supported cipher suite. Your definition of "best" probably means "highest security", and so it will fail your test while passing the client's test of "best". This is why "honor server cipher suite order" was invented: it allows the SERVER to decide what "best" means instead of leaving the decision to "tradition" by whatever definition. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAldFwuAACgkQ9CaO5/Lv0PCUJwCfQhGYpK6SZJyK1vPejbVbeGe9 vJ4An3nj//KAgd2yPqx1dbktuHXjRXcn =7y3S -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
