Login/Register
How to specify server-preferred order of SSL cipher suites for Java?
Asked Answered
Solved javasslencryptionjsse
G

3

5

I'm using Java 1.6 and netty 3.8 for HTTP/HTTPS server. I've done SSL test by ssllab.com(https://www.ssllabs.com/ssltest/analyze.html), and I got a result for cipher suites like below.

Cipher Suites (sorted by strength; the server has no preference)

But, a result for google.com is something different. https://www.ssllabs.com/ssltest/analyze.html?d=www.google.com&s=74.125.227.148

Cipher Suites (SSL 3+ suites in server-preferred order, then SSL 2 suites where used)

How can I set server-side preference order for cipher suites? Does JSSE have any property or API about that?

Thanks in advance.

Genisia answered 30/12, 2013 at 9:41 Comment(0)
S
2

You could try calling setEnabledCipherSuites() with an array in the desired order, but there's nothing in the JSSE documentation that suggest it will use that order as the desired order, and there's nothing in the TLS RFC 2246 that says the server is obliged to obey any particular ordering when choosing among the cipher suites suggested by the client.

EDIT You might be better off putting an Apache HTTPD reverse proxy in front of your server and terminating the SSL there. Apache HTTPD uses OpenSSL, which lets you do exactly what you are looking for. It's also better for situations where some Webapps needs client certificates and others don't, assuming you are writing Webapps of course.

Supercilious answered 30/12, 2013 at 23:58 Comment(1)
I've already tried to call setEnabledCipherSuites() with my preference order, but it didn't work. There might be no way to specify it. :( Thank you!Genisia
U
3

Since Java 1.8, there is a setUseCipherSuitesOrder method on the SSLParameters class.

The way that is set depends on the server you are using. If you have access to the SSLEngine you can get the parameters, change the value, and then set the parameters back on the engine.

Ufa answered 5/3, 2019 at 15:33 Comment(0)
S
2

You could try calling setEnabledCipherSuites() with an array in the desired order, but there's nothing in the JSSE documentation that suggest it will use that order as the desired order, and there's nothing in the TLS RFC 2246 that says the server is obliged to obey any particular ordering when choosing among the cipher suites suggested by the client.

EDIT You might be better off putting an Apache HTTPD reverse proxy in front of your server and terminating the SSL there. Apache HTTPD uses OpenSSL, which lets you do exactly what you are looking for. It's also better for situations where some Webapps needs client certificates and others don't, assuming you are writing Webapps of course.

Supercilious answered 30/12, 2013 at 23:58 Comment(1)
I've already tried to call setEnabledCipherSuites() with my preference order, but it didn't work. There might be no way to specify it. :( Thank you!Genisia
I
0

Server prefered order is default: https://bugs.openjdk.org/browse/JDK-8168261

Innutrition answered 29/5, 2023 at 10:8 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.