Patrick wrote: > If I don't call setCipherPolicy, is the DOMESTIC policy used by default? The > javadoc states that this "must be called before creating any SSL Socket". Is > that really true? Yes, domestic is the default because we call NSS_SetDomesticPolicy() during CryptoManager.initialize(). setCipherPolicy does not need to be called by a JSS app unless that app wants to limit itself to export-allowed cipher suites.
> > Also, If I use setCipherPreference to turn of a particular SSL cipher, does > this method *need to* be preceded by a call to setCipherPolicy in order for > the disabling to take? I believe in NSS, that is the case (i.e., the > SSL_CipherPrefSetDefault function should be called after a call to > NSS_SetDomesticPolicy) Actually, there is a bug in the documentation here. SSLSocket.setCipherPreference claims to enable/disable the given cipher "on this socket", but it actually is a static method that enables/disables the cipher for the whole process. I don't know about it having to be called in a particular order.
