On 9/25/2015 10:20 PM, Simone Bordet wrote:
> Hi,
>
> On Fri, Sep 25, 2015 at 3:20 PM, Xuelei Fan <xuelei....@oracle.com> wrote:
>> For the complication, I posted the comments in previous mail here:
>>
>> -----------------------------
>>> In case you have [HTTP/2, AP_NEW, HTTP/1.1], then you can simply
>>> compose the comparators to sort first with the H2.CIPHER_COMPARATOR,
>>> then with AP_NEW.CIPHER_COMPARATOR.
>>>
>>> cipherSuites = Arrays.sort(cipherSuites,
>>> ApplicationProtocol.H2.CIPHER_COMPARATOR.
>>> thenComparing(AP_NEW.CIPHER_COMPARATOR));
>>>
>> Let's look at an example. application_protocol_1 prefer cipher_suite_1,
>> and application_protocol_1 prefer cipher_suite_2.
>>
>> The comparator for application_protocol_1 would set the preference as
>> {cipher_suite_1, cipher_suite_2}. and the comparator for
>> application_protocol_2} would set the preference as {cipher_suite_2,
>> cipher_suite_1}.
>>
>> The result to sort 1 and then 2, and the result to sort 2 and then 1 are
>> different.
>>
>> The call sequence to the comparators, and the call to each comparator
>> would result in difference result. That's may be not the expected behavior.
>
> The example is malformed, since it does not specify which ciphers are
> good for which application protocol, and neither the order of the
> application protocols.
>
> Let me rewrite it:
>
> application protocols: [ap1, ap2]
> ciphers: [c1, c2]
>
> ap1 requires c1, does not work with c2
> ap2 requires c2, does not work with c1
>
OK, as make the case more simple.
> Now the question is: you have to configure your system, what you want to do ?
>
> If you want to favor ap1, then you sort [c1, c2]
> If you want to favor ap2, then you sort [c2, c1]
> If you want to favor c1, then you sort [c1, c2]
> If you want to favor c2, then you sort [c2, c1]
>
> If you want to favor ap1 *and* c2, you have to decide what is more
> important between the two, because you cannot have both.
>
> I don't see any problem, really.
>
If "you" as the customer, I don't see any problem. If "you" as OpenJDK,
the problem is that OpenJDK know nothing about the conditions (if you
want to favor ...), and therefore cannot make the decision (sort)
internally.
I think we should be on the same page: customers can make any sort as
they want. SSLParameters.setCipherSuite() and
SSLParameters.setAppliationProtocols() can be used for any decision they
made.
> That the results are different, sure, but they are predictable.
> When the configuration uses one comparator, it will always be that
> result, and same for the other comparator.
>
> But you configure the comparators in base of what you want to do.
>
Need a confirmation. I think you agree that the sort happens before the
calls to SSLParameters.setCipherSuite() and
SSLParameters.setAppliationProtocols(), right? As the case I commented
in previous mail:
----------------
// the customers' decision // (1)
String[] cipherSuites = {....}; // customer preference
List<ApplicationProtocol> appProtocols =
{...}; // customer preference
+
+ // reorde the cipher suites // (1.1)
+ cipherSuites = ... // the actual customer preference
+
+ // reorder application protocols preference
+ appProtocols = ... // the actual customer preference
// configure the parameters // (2)
//
// customer preferences should be respected.
sslParameters.setCipherSuites(cipherSuites);
sslParameters.setApplicationProtocols(appProtocols);
----------------
Xuelei
