Menu
I don't understand how does Java picks the most prefered cipher to use on Server Hello.
I have a Tomcat 5 configuration and I set in the SSL connector the ciphers=TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, etc
Server i.e. Java picks TLS_RSA_WITH_AES_128_CBC_SHA on Server Hello as the prefered among the client's supported. But this is not the most secure and it is not the prefered accoding to http://docs.huihoo.com/java/javase/7/technotes/guides/security/SunProviders.html#SunJSSEProvider which lists that TLS_RSA_WITH_AES_256_CBC_SHA has preference.
Then I thought it was the order in the server.xml attribute that made the difference and I put another cipher first (TLS_DHE_RSA_WITH_AES_256_CBC_SHA) which I see in the Client Hello that it is supported. But this was not selected either and TLS_RSA_WITH_AES_128_CBC_SHA was again selected.
So how does JSSE picks the cipher of preference? Is this documented somewhere? I can not figure out what's going on here.
251
The Java Secure Socket Extension (JSSE) enables secure Internet communications. It provides a framework and an implementation for a Java version of the SSL and TLS protocols and includes functionality for data encryption, server authentication, message integrity, and optional client authentication.
Java Secure Socket Extension (JSSE) uses both the SSL protocol and the TLS protocol to provide secure encrypted communications between your clients and servers. SSL/TLS provides a means of authenticating a server and a client to provide privacy and data integrity.
It doesn't have to. All that RFC 2246 says is "The server will select a cipher suite". Nowhere does it say it will pick the most secure, or indeed anything about how it will make that selection.
200
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
