Hello, Am 07.08.2013 um 08:09 schrieb Matthew Hall <[email protected]>:
> This sounds good in theory but when you work in an Internet scale content > provider it breaks things when the client can pick bad ciphers and the server > just allows it to happen like in default Java up until now. Well yes, if you think there is a bad cipher in the default enabled suite then it is good to disable it (The default enabled list is better these days). You can do that without setting a new boolean flag which is ignored by the default implementation. I am not arguing about more flexibility in the configuration of cipher selection. if you have a smarter JSSE implementation then this is also good. I think both dont need an additional boolean switch. If the JDK JSSE implementation will offer different server side stategies to pick the cipher it would be most helpfull to have a (string) option to specify the strategy. This option name can be standadized and others then can pick it up as well. You could even specify "RFC" and "ServerOrder" as the two mandatory supported options. Greetings Bernd
