Re: turn off enabled cipher suites?

David Brownell (db@Eng)
Fri, 11 Sep 1998 07:33:12 -0700

Jeff Nisewanger wrote:
>
> > I want to give my users the choice whether to enable encryption or just
> > use a clear text socket. Is there any special way to
> > setEnabledCipherSuites to some value that accomplishes this?
> > Maybe something like NULL_NULL_WITH_NULL_NULL?
>
> You may want to use javax.net.SocketFactory for this purpose.
> If you're code and apis pass around a SocketFactory instance then the
> implementation of the SocketFactory can decide what kind of sockets
> to create and how to configure their options. Code that just wants
> to create and use generic sockets can then just be programmed
> in terms of the java.net.Socket base class and either do SSL or not.

That is, have your program use a socket factory to create the
sockets ... and pass around an appropriately configured one to
address your various configurations. The default factory is
TCP-only, but you can configure an SSLSocketFactory with the
appropriate cipher suites (etc) and pass it to modules that
should use SSL layered over TCP.

Note that SSL_NULL_WITH_NULL_NULL still uses SSL record framing, in
an insecure mode; since it's insecure, it's never available for use
with application data. Also, that SSL supports authenticated cleartext
flavors (SSL_RSA_WITH_NULL_MD5 for example). You can configure a
factory to enable only those SSL flavors, if you like.

So if "cleartext" is the issue, you have several options! But
you should certainly be using a SocketFactory for any of them.

- Dave