Fix Version/s: 13
Compatibility Risk Description:The compatibility risk should be minimal as no matter which preference is used, the selected cipher suite is supported by both the client and server side.
Interface Kind:Java API
Propose to use server cipher suite preference by default for TLS handshaking in the SunJSSE provider.
In TLS protocols, a cipher suite defines a series of security parameters. In general, both client and server support multiple cipher suites.
During the handshaking, the client side requests to negotiate one of them. In the client request, the cipher suites are listed in descending order of client preference.
Then the server side selects one cipher suite from the list. The selection may honor the client requested preference, or the server preference of itself. As could be configured with the SSLParameters.setUseCipherSuitesOrder() method.
In the SunJSSE provider, the server honors the client cipher suite preference by default. It is easier to maintain if using the server cipher suite preference, and then the server can have more control over the security parameters of TLS connections.
Update the SunJSSE provider implementation to use server side cipher suite preference by default. Applications can change the behavior with the existing SSLParameters.setUseCipherSuitesOrder() method.
Note that this update impact the SunJSSE provider only. There is no impact on the behavior and specification of SSLParameters.
See "Solution" section.