JDK-8219657 : Use server cipher suites preference by default
  • Type: CSR
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Priority: P3
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 13
  • Submitted: 2019-02-25
  • Updated: 2019-03-20
  • Resolved: 2019-03-20
Related Reports
CSR :  
JDK-8168261 - Use server cipher suites preference by default
Description
Summary
-------
Propose to use server cipher suite preference by default for TLS handshaking in the SunJSSE provider. 

Problem
-------
In TLS protocols, a cipher suite defines a series of security parameters.  In general, both client and server support multiple cipher suites.

During the handshaking, the client side requests to negotiate one of them. In the client request, the cipher suites are listed in descending order of client preference.

Then the server side selects one cipher suite from the list.  The selection may honor the client requested preference, or the server preference of itself.  As could be configured with the SSLParameters.setUseCipherSuitesOrder���() method.

In the SunJSSE provider, the server honors the client cipher suite preference by default. It is easier to maintain if using the server cipher suite preference, and then the server can have more control over the security parameters of TLS connections. 

Solution
--------
Update the SunJSSE provider implementation to use server side cipher suite preference by default. Applications can change the behavior with the existing SSLParameters.setUseCipherSuitesOrder���() method.

Note that this update impact the SunJSSE provider only. There is no impact on the behavior and specification of SSLParameters.

Specification
-------------
See "Solution" section.
Comments
Thanks for the clarification; moving to Approved.
20-03-2019
This updates the SunJSSE provider behavior only, no impact on the API specification. In the spec of SSLParameters constructor, the useCipherSuitesOrder is set to false: "The values ... useCipherSuitesOrder, ... are set to false". As I don't know the compatibility risk, there is no plan to change the SSLParameters specification for now.
20-03-2019
Pending the bug to indicate a question is still outstanding.
19-03-2019
Please answer the earlier question about whether or not this change can be reasonably documented in the API.
16-03-2019
Just want to confirm that there is not an API element where this change could reasonably be documented? I see the parent bug is marked for a release note already.
13-03-2019