15

I'm trying to work out the order that cipher suites are returned using SSLSocketFactory.getSupportedCipherSuites() - it seems to differ between Java 1.6 & Java 1.7.

I thought this would be easy to determine but have run into a few problems. First, though, here is the code I'm using:

SSLContext context = SSLContext.getDefault();
SSLSocketFactory sf = context.getSocketFactory();
String[] cipherSuites = sf.getSupportedCipherSuites();

Pretty straight forward (do correct me if I've done something stupid). So, I thought (using eclipse) that I'd be able to step into the getSupportedCipherSuites() method, but it seems the source code isn't there to do that (is there a reason for that?). I found the class in jsse.jar and decompiled it using JD-Eclipse. This however gives me an abstract class and I've not been able to see the concrete implementation of the abstract class (I've discovered that the class can be set using a property "ssl.SocketFactory.provider" but this hasn't been specified in java.security). I've also not been able to determine how to turn logging on using the "javax.net.debug" property (this disappears into a native method).

Could someone point out where I'm going wrong?

Christopher Schultz
  • 20,221
  • 9
  • 60
  • 77
Amadeus1756
  • 193
  • 1
  • 1
  • 6
  • 1
    I guess you're new to SO, but a `getSupportedCipherSuites` tag would be far too specific. (There's a [discussion on Meta](http://meta.stackexchange.com/questions/131414/merging-ssl-tls-and-related-tags) at the moment about merging/renaming some of the SSL-related tags.) – Bruno May 07 '12 at 19:41
  • Thanks Bruno. I was just trying to use tags of keywords I'd used in searches which I guess was naive. Just had a little look at the discussion - one of those topics which seems straight forward initially with but turns into something more! :-) – Amadeus1756 May 07 '12 at 20:33
  • You don't need to step into the method to see what it returns. The cipher suites have changed between Java 1.6 and 1.7, and it is easy enough to see that the methods always return the same thing per version. – user207421 May 08 '12 at 01:23
  • The other question is why do you care? The order of the cipher suites doesn't affect anything. Specifically, it doesn't express an order of preference. – user207421 Apr 27 '14 at 12:21

1 Answers1

16

The list of supported (and enabled) cipher suites are available in the SunJSSE provider documentation: for Java 6 and for Java 7. The list order differ indeed.

I must admit I have never really paid attention to the order in the supported cipher suite list. The one that matters is the *enabled" cipher suites list.

If you're interested in the code itself, you should find it in sun.security.ssl.SSLContextImpl and sun.security.ssl.CipherSuite. Note that these classes are part of the Sun JSSE implementation and not part of the public Java API.

Regarding debugging, you'll find the required parameters in the Debugging section of the JSSE Reference Guide.

Bruno
  • 119,590
  • 31
  • 270
  • 376
  • Thanks Bruno. That lead me to http://www.docjar.com/html/api/sun/security/ssl/SSLSocketFactoryImpl.java.html which gives me a starting point so thanks - very much appreciated. So from what you've said, the list order could well differ for (say) the IBM JDK? And the OpenJDK implementation could differ from the Sun/Oracle JDK? – Amadeus1756 May 07 '12 at 20:46
  • Yes, the order could differ with another JRE implementation (IBM for example, indeed). The OpenJDK JRE should be much closer from the Sun/Oracle JRE, since they're more or less the same code base (you may get subtle differences depending on minor release numbers). – Bruno May 07 '12 at 20:55
  • It looks like the order in the IBM JRE is fairly similar, but it seems [the IBM JRE 6 has support for TLS 1.1/1.2 and their cipher suites](http://www.ibm.com/developerworks/java/jdk/security/60/secguides/jsse2Docs/JSSE2RefGuide.html#AppA) (not available in Oracle JRE 6). – Bruno May 07 '12 at 21:18
  • 3
    "The one that matters is the *enabled" cipher suites list." - not if your purpose is (for example) to populate a set of GUI checkboxes so that the user can choose which cipher suites to enable. – slim Jan 26 '15 at 13:19
  • @slim, good point, I can't remember what I had in mind back then, but I suspect I was referring to the order of the lists. – Bruno Jan 26 '15 at 13:37