Make cipher suite order significant (expressing preference) for JSSE …

…to align with OpenSSL.

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1677080 13f79535-47bb-0310-9956-ffa450edef68

java/org/apache/tomcat/util/net/AbstractEndpoint.java

@@ -1006,10 +1006,6 @@ public void setCiphers(String s) {
         ciphers = s;
     }
 
-    private String useServerCipherSuitesOrder = "false";
-    public String getUseServerCipherSuitesOrder() { return useServerCipherSuitesOrder;}
-    public void setUseServerCipherSuitesOrder(String s) { this.useServerCipherSuitesOrder = s;}
-
     private String keyAlias = null;
     public String getKeyAlias() { return keyAlias;}
     public void setKeyAlias(String s ) { keyAlias = s;}

java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java

@@ -98,7 +98,12 @@ protected SSLEngine createSSLEngine(String sniHostName) {
         engine.setEnabledCipherSuites(sslContextWrapper.getEnabledCiphers());
         engine.setEnabledProtocols(sslContextWrapper.getEnabledProtocols());
 
-        configureUseServerCipherSuitesOrder(engine);
+        // Force server cipher suite order to be honored
+        SSLParameters sslParameters = engine.getSSLParameters();
+        sslParameters.setUseCipherSuitesOrder(true);
+        // Following line may not be required. Depends if JRE takes a defensive
+        // copy. Keep the line to avoid any possible issues.
+        engine.setSSLParameters(sslParameters);
 
         return engine;
     }
@@ -112,24 +117,6 @@ public void unbind() throws Exception {
     }
 
 
-    /**
-     * Configures SSLEngine to honor cipher suites ordering based upon
-     * endpoint configuration.
-     */
-    private void configureUseServerCipherSuitesOrder(SSLEngine engine) {
-        String useServerCipherSuitesOrderStr = this
-                .getUseServerCipherSuitesOrder().trim();
-
-        SSLParameters sslParameters = engine.getSSLParameters();
-        boolean useServerCipherSuitesOrder =
-            ("true".equalsIgnoreCase(useServerCipherSuitesOrderStr)
-                || "yes".equalsIgnoreCase(useServerCipherSuitesOrderStr));
-
-        sslParameters.setUseCipherSuitesOrder(useServerCipherSuitesOrder);
-        engine.setSSLParameters(sslParameters);
-    }
-
-
     private KeyManager[] wrap(KeyManager[] managers) {
         if (managers==null) return null;
         KeyManager[] result = new KeyManager[managers.length];

webapps/docs/config/http.xml

@@ -1158,8 +1158,8 @@
       branch.</p>
       <p>If not specified, a default (using the OpenSSL notation) of
       <code>HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5</code> will be used.</p>
-      <p>Note that Java does not treat the order in which ciphers are defined as
-      an order of preference. See <code>useServerCipherSuitesOrder</code>.</p>
+      <p>Note that JSSE based connectors will always be configured to treat the
+      order in which ciphers are defined as an order of preference.</p>
     </attribute>
 
     <attribute name="clientAuth" required="false">
@@ -1318,15 +1318,6 @@
       the default.</p>
      </attribute>
 
-    <attribute name="useServerCipherSuitesOrder" required="false">
-      <p>
-        Set to <code>true</code> to enforce the server's cipher order
-        (from the <code>ciphers</code> setting). Set to <code>false</code>
-        to choose the first acceptable cipher suite presented by the client.
-        Default is <code>false</code>.
-      </p>
-    </attribute>
-
   </attributes>
 
   </subsection>