Package com.unboundid.util.ssl

Class TLSCipherSuiteComparator

java.lang.Object

com.unboundid.util.ssl.TLSCipherSuiteComparator

All Implemented Interfaces:

Serializable, Comparator<String>

@NotMutable
@ThreadSafety(level=COMPLETELY_THREADSAFE)
public final class TLSCipherSuiteComparator
extends Object
implements Comparator<String>, Serializable

This class provides a comparator that may be used to order TLS cipher suites from most-preferred to least-preferred. Note that its behavior is undefined for strings that are not valid TLS cipher suite names.

This comparator uses the following logic:

• Cipher suite names that end with "_SCSV" will be ordered after those that do not. These are signalling cipher suite values that indicate special capabilities and aren't really cipher suites.
• Cipher suite names that contain "_NULL" will be ordered after those that do not.
• Cipher suite names that contain "_ANON" will be ordered after those that do not.
• Cipher suite names that contain "_EXPORT" will be ordered after those that do not.
• Cipher suites will be ordered according to their prefix, as follows:
  • Suite names starting with TLS_AES_ will come first, as they are TLSv1.3 (or later) suites that use AES for bulk encryption.
  • Suite names starting with TLS_CHACHA20_ will come next, as they are TLSv1.3 (or later) suites that use the ChaCha20 stream cipher, which is less widely supported than AES.
  • Suite names starting with TLS_ECDHE_ will come next, as they use elliptic curve Diffie-Hellman key exchange with ephemeral keys, providing support for forward secrecy.
  • Suite names starting with TLS_DHE_ will come next, as they use Diffie-Hellman key exchange with ephemeral keys, also providing support for forward secrecy, but less efficient than the elliptic curve variant.
  • Suite names starting with TLS_RSA_ will come next, as they use RSA key exchange, which does not support forward secrecy, but is still considered secure.
  • Suite names starting with TLS_ but that do not match any of the above values will come next, as they are less desirable than any of the more specific TLS-based suites.
  • Suite names starting with SSL_ will come next, as they are legacy SSL-based protocols that should be considered weaker than TLS-based protocol.s
  • Suite names that do not start with TLS_ or SSL_ will come last. No such suites are expected.
• Cipher suite names that contain _AES will be ordered before those that contain _CHACHA20, as AES is a more widely supported bulk cipher than ChaCha20. Suite names that do not contain either _AES or _CHACHA20 will be ordered after those that contain _CHACHA20, as they likely use a bulk cipher that is weaker or not as widely supported.
• Cipher suites that use AES with a GCM mode will be ordered before those that use AES with a non-GCM mode. GCM (Galois/Counter Mode) uses authenticated encryption, which provides better security guarantees than non-authenticated encryption.
• Cipher suites that use AES with a 256-bit key will be ordered before those that use AES with a 128-bit key.
• Cipher suites will be ordered according to their digest algorithm, as follows:
  • Suites that use a 512-bit SHA-2 digest will come first. At present, no such suites are defined, but they may be added in the future.
  • Suites that use a 384-bit SHA-2 digest will come next.
  • Suites that use a 256-bit SHA-2 digest will come next.
  • Suites that use a SHA-1 digest will come next.
  • Suites that use any other digest algorithm will come last, as they likely use an algorithm that is weaker or not as widely supported.
• If none of the above criteria can be used to differentiate the cipher suites, then it will fall back to simple lexicographic ordering.

See Also:

• Serialized Form

Method Summary

Modifier and Type	Method	Description
int	compare(String s1, String s2)	Compares the provided strings to determine the logical order of the TLS cipher suites that they represent.
boolean	equals(Object o)	Indicates whether the provided object is logically equivalent to this TLS cipher suite comparator.
static TLSCipherSuiteComparator	getInstance()	Retrieves the singleton instance of this TLS cipher suite comparator.
int	hashCode()	Retrieves the hash code for this TLS cipher suite comparator.

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface java.util.Comparator

reversed, thenComparing, thenComparing, thenComparing, thenComparingDouble, thenComparingInt, thenComparingLong

Method Details

getInstance

@NotNull
public static TLSCipherSuiteComparator getInstance()

Retrieves the singleton instance of this TLS cipher suite comparator.

Returns:

The singleton instance of this TLS cipher suite comparator.

compare

public int compare(@NotNull
 String s1,
 @NotNull
 String s2)

Compares the provided strings to determine the logical order of the TLS cipher suites that they represent.

Specified by:

compare in interface Comparator<String>

Parameters:

s1 - The first string to compare. It must not be null, and it should represent a valid cipher suite name.

s2 - The second string to compare. It must not be null, and it should represent a valid cipher suite name.

Returns:

A negative integer value if the first cipher suite name should be ordered before the second, a positive integer value if the first cipher suite name should be ordered after the second, or zero if the names are considered logically equivalent.

equals

public boolean equals(@Nullable
 Object o)

Indicates whether the provided object is logically equivalent to this TLS cipher suite comparator.

Specified by:

equals in interface Comparator<String>

Overrides:

equals in class Object

Parameters:

o - The object for which to make the determination.

Returns:

true if the provided object is logically equivalent to this TLS cipher suite comparator.

hashCode

public int hashCode()

Retrieves the hash code for this TLS cipher suite comparator.

Overrides:

hashCode in class Object

Returns:

The hash code for this TLS cipher suite comparator.