Is it possible to order cipher suites from server side in Java?

Question

In Java docs stated, that:

public final void setUseCipherSuitesOrder​(boolean honorOrder)

Sets whether the local cipher suites preference should be honored.

Parameters: honorOrder - whether local cipher suites order in #getCipherSuites should be honored during SSL/TLS/DTLS handshaking.

The order of cipher suits:

String[] cs = new String[]{
 "TLS_RSA_WITH_AES_256_GCM_SHA384",
 "TLS_RSA_WITH_AES_256_CBC_SHA256",
 "TLS_RSA_WITH_AES_256_CBC_SHA"
  };

If I set socket parameters like:

SSLServerSocket.getSSLParameters().setUseCipherSuitesOrder(true);
SSLServerSocket.setEnabledProtocols(....);
SSLServerSocket.setEnabledCipherSuites(cs);

by using # nmap -sT -p 465 host_address --script ssl-enum-ciphers.nse the result is:

PORT    STATE SERVICE
465/tcp open  smtps
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 4096) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A
|     compressors:
|       NULL
|     cipher preference: client
|_  least strength: A

Cipher order is still defined by client: cipher preference: client. Is it possible to set priority by server? Using JDK 12.

Answer 1

The behaviour seems to have changed since JDK 12. At least with JDK 17 the order proposed by the server seems to be preferred by default. Anyway, the correct way to use the API would be

    SSLParameters parameters = serverSocket.getSSLParameters();
    parameters.setUseCipherSuitesOrder(true);
    serverSocket.setSSLParameters(parameters);

The crucial part is to call setSSLParameters(). Where you get the SSLParameters object from is secondary.