Package com.unboundid.util.ssl
Class TLSCipherSuiteComparator
- java.lang.Object
-
- com.unboundid.util.ssl.TLSCipherSuiteComparator
-
- All Implemented Interfaces:
java.io.Serializable
,java.util.Comparator<java.lang.String>
@NotMutable @ThreadSafety(level=COMPLETELY_THREADSAFE) public final class TLSCipherSuiteComparator extends java.lang.Object implements java.util.Comparator<java.lang.String>, java.io.Serializable
This class provides a comparator that may be used to order TLS cipher suites from most-preferred to least-preferred. Note that its behavior is undefined for strings that are not valid TLS cipher suite names.
This comparator uses the following logic:- Cipher suite names that end with "_SCSV" will be ordered after those that do not. These are signalling cipher suite values that indicate special capabilities and aren't really cipher suites.
-
Cipher suites will be ordered according to their prefix, as follows:
- Suite names starting with TLS_AES_ will come first, as they are TLSv1.3 (or later) suites that use AES for bulk encryption.
- Suite names starting with TLS_CHACHA20_ will come next, as they are TLSv1.3 (or later) suites that use the ChaCha20 stream cipher, which is less widely supported than AES.
- Suite names starting with TLS_ECDHE_ will come next, as they use elliptic curve Diffie-Hellman key exchange with ephemeral keys, providing support for forward secrecy.
- Suite names starting with TLS_DHE_ will come next, as they use Diffie-Hellman key exchange with ephemeral keys, also providing support for forward secrecy, but less efficient than the elliptic curve variant.
- Suite names starting with TLS_RSA_ will come next, as they use RSA key exchange, which does not support forward secrecy, but is still considered secure.
- Suite names starting with TLS_ but that do not match any of the above values will come next, as they are less desirable than any of the more specific TLS-based suites.
- Suite names starting with SSL_ will come next, as they are legacy SSL-based protocols that should be considered weaker than TLS-based protocol.s
- Suite names that do not start with TLS_ or SSL_ will come last. No such suites are expected.
- Cipher suite names that contain _AES will be ordered before those that contain _CHACHA20, as AES is a more widely supported bulk cipher than ChaCha20. Suite names that do not contain either _AES or _CHACHA20 will be ordered after those that contain _CHACHA20, as they likely use a bulk cipher that is weaker or not as widely supported.
- Cipher suites that use AES with a GCM mode will be ordered before those that use AES with a non-GCM mode. GCM (Galois/Counter Mode) uses authenticated encryption, which provides better security guarantees than non-authenticated encryption.
- Cipher suites that use AES with a 256-bit key will be ordered before those that use AES with a 128-bit key.
-
Cipher suites will be ordered according to their digest algorithm, as
follows:
- Suites that use a 512-bit SHA-2 digest will come first. At present, no such suites are defined, but they may be added in the future.
- Suites that use a 384-bit SHA-2 digest will come next.
- Suites that use a 256-bit SHA-2 digest will come next.
- Suites that use a SHA-1 digest will come next.
- Suites that use any other digest algorithm will come last, as they likely use an algorithm that is weaker or not as widely supported.
- If none of the above criteria can be used to differentiate the cipher suites, then it will fall back to simple lexicographic ordering.
- See Also:
- Serialized Form
-
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description int
compare(java.lang.String s1, java.lang.String s2)
Compares the provided strings to determine the logical order of the TLS cipher suites that they represent.boolean
equals(java.lang.Object o)
Indicates whether the provided object is logically equivalent to this TLS cipher suite comparator.static TLSCipherSuiteComparator
getInstance()
Retrieves the singleton instance of this TLS cipher suite comparator.int
hashCode()
Retrieves the hash code for this TLS cipher suite comparator.
-
-
-
Method Detail
-
getInstance
public static TLSCipherSuiteComparator getInstance()
Retrieves the singleton instance of this TLS cipher suite comparator.- Returns:
- The singleton instance of this TLS cipher suite comparator.
-
compare
public int compare(java.lang.String s1, java.lang.String s2)
Compares the provided strings to determine the logical order of the TLS cipher suites that they represent.- Specified by:
compare
in interfacejava.util.Comparator<java.lang.String>
- Parameters:
s1
- The first string to compare. It must not benull
, and it should represent a valid cipher suite name.s2
- The second string to compare. It must not benull
, and it should represent a valid cipher suite name.- Returns:
- A negative integer value if the first cipher suite name should be ordered before the second, a positive integer value if the first cipher suite name should be ordered after the second, or zero if the names are considered logically equivalent.
-
equals
public boolean equals(java.lang.Object o)
Indicates whether the provided object is logically equivalent to this TLS cipher suite comparator.- Specified by:
equals
in interfacejava.util.Comparator<java.lang.String>
- Overrides:
equals
in classjava.lang.Object
- Parameters:
o
- The object for which to make the determination.- Returns:
true
if the provided object is logically equivalent to this TLS cipher suite comparator.
-
hashCode
public int hashCode()
Retrieves the hash code for this TLS cipher suite comparator.- Overrides:
hashCode
in classjava.lang.Object
- Returns:
- The hash code for this TLS cipher suite comparator.
-
-