Mark, On 7/9/14, 12:46 PM, Mark Thomas wrote: > On a related topic, it would be extremely useful if the available > ciphers were exposed through the native interface. Anyone with C skills > fancy taking a look? > > My main motivation for this is that we can write a unit test that > checks the mapping of OpenSSL ciphers to JSSE ciphers and highlights > (by a failure) when the mapping changes (e.g. one of them adds > support for a new cipher).
So you want to:
1. Take a cipher suite string and run it through Rémy's JSSE code
2. Take the same cipher suite string and run it through OpenSSL
3. Compare the two resulting cipher suite lists to ensure they are
the same (barring absent ciphers in each implementation)
?
While step 2 could be done via JNI, it could also be done like this:
System.exec("openssl ciphers <cipher suites>");
Since OpenSSL and JSSE support different sets of ciphers out of the box,
does that mean that we'll have to maintain a complicated set of allowed
inconsistencies based upon the combination of JVM and OpenSSL version?
For example, OpenSSL prior to 1.0.something do not have ECDHE ciphers,
and at some point they became available in JSSE. Unless you have
matching versions of both, you'll get a failure. I think it would be
fairly chaotic.
-chris
signature.asc
Description: OpenPGP digital signature
