On 09/25/2015 06:42 AM, Simone Bordet wrote:
Hi,
On Fri, Sep 25, 2015 at 11:47 AM, Xuelei Fan <xuelei....@oracle.com> wrote:
Here is the question to answer, which preference should be respected
firstly between cipher suite and application protocol? If application
protocol are preferred at first, of course, application preference
should be respected at first; otherwise, cipher suite preference should
be respected at first.
The answer to this question has been decided when the algorithm has
been chosen to be:
for each cipher
for each application protocol
end
end
All the rest being equal, ciphers dominate application protocol selection.
Are you suggesting to change this to:
for each application protocol
for each cipher
end
end
?
It's in the hands of the role that configures application protocols
and ciphers to decide whether it's more important to prefer a protocol
or a cipher.
I agree with this, but...
Put it in a different way:
If the role prefers application protocols, it has to sort the ciphers
to influence that.
If the role prefers ciphers, it has to sort the ciphers.
No matter what, it has to sort the ciphers.
...why does sorting even matter? Why should selection not be
implemented 100% in user code, based on both the cipher suites list and
application protocol, rendering this whole discussion pointless? It's
clearly a complex enough process (which is highly protocol-specific)
that it seems to me quite unlikely that the JDK can possibly implement
this in a way that will work for all use cases.
Therefore, personally, I think application may want a handy tool to sort
the cipher suite for the strength for general purpose, but not for
application protocol.
Because HTTP/2 would probably be popular given the success of its
predecessor, it would be handy to have a HTTP/2 comparator to
influence the selection of the HTTP/2 protocol.
Nothing forbids to offer a comparator by cipher strength too.
Ugh, why not just let the user decide *if* they want to sort (and
filter) ciphers, and if so, they can do it themselves using
Arrays.sort() on the ciphers array which already should be more than
adequate.
In fact, why not just use the SSLExplorer approach and be done with this
already?
--
- DML
