How to specify server-preferred order of SSL cipher suites for Java?

5
votes

I'm using Java 1.6 and netty 3.8 for HTTP/HTTPS server. I've done SSL test by ssllab.com(https://www.ssllabs.com/ssltest/analyze.html), and I got a result for cipher suites like below.

Cipher Suites (sorted by strength; the server has no preference)

But, a result for google.com is something different. https://www.ssllabs.com/ssltest/analyze.html?d=www.google.com&s=74.125.227.148

Cipher Suites (SSL 3+ suites in server-preferred order, then SSL 2 suites where used)

How can I set server-side preference order for cipher suites? Does JSSE have any property or API about that?

Thanks in advance.

2
javasslencryptionjsse

2 Answers

3
votes

Since Java 1.8, there is a setUseCipherSuitesOrder method on the SSLParameters class.

The way that is set depends on the server you are using. If you have access to the SSLEngine you can get the parameters, change the value, and then set the parameters back on the engine.

2
votes

You could try calling setEnabledCipherSuites() with an array in the desired order, but there's nothing in the JSSE documentation that suggest it will use that order as the desired order, and there's nothing in the TLS RFC 2246 that says the server is obliged to obey any particular ordering when choosing among the cipher suites suggested by the client.

EDIT You might be better off putting an Apache HTTPD reverse proxy in front of your server and terminating the SSL there. Apache HTTPD uses OpenSSL, which lets you do exactly what you are looking for. It's also better for situations where some Webapps needs client certificates and others don't, assuming you are writing Webapps of course.