| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8307964 | 17.0.8-oracle | Raymond Gallardo | P4 | Resolved | Delivered | |
| JDK-8317437 | 11.0.21-oracle | Raymond Gallardo | P4 | Resolved | Delivered | |
| JDK-8318050 | 8u401 | Raymond Gallardo | P4 | Resolved | Fixed | b04 |
In JDK 13, the cipher suite selection was changed to honor the server's cipher suite preference by default, see https://bugs.openjdk.org/browse/JDK-816826.
However, the JSSE guide was not updated and still says the client's preference is used. This section needs to be updated: https://docs.oracle.com/en/java/javase/20/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-EFC2FACC-680C-42CE-A3A9-E9A6673EA813
I suggest changing the last two sentences to:
"The selection honors the server's preference by default, which is the most secure setting. However, the server can choose to honor the client's preference rather than its own preference, by invoking the method SSLParameters.setUseCipherSuitesOrder(false)."
However, the JSSE guide was not updated and still says the client's preference is used. This section needs to be updated: https://docs.oracle.com/en/java/javase/20/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-EFC2FACC-680C-42CE-A3A9-E9A6673EA813
I suggest changing the last two sentences to:
"The selection honors the server's preference by default, which is the most secure setting. However, the server can choose to honor the client's preference rather than its own preference, by invoking the method SSLParameters.setUseCipherSuitesOrder(false)."
- backported by
-
JDK-8307964 Cipher Suite Preference section of JSSE guide should be updated to use server's cipher suite preference
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
- relates to
-
JDK-8168261 Use server cipher suites preference by default
-
- Resolved
-