[jetty-users] How to influence the "preferred cip

[Silvio Bierman <sbierman@xxxxxxxxxxxxxxxxxx>]

Hallo all,

I have an embedded Jetty 9.3 server instance and am trying to control the ciphers it supports via a number of call to SslContextFactory.addExcludeCipherSuites. I have found a combination of excludes that leaves the set of ciphers I need. Among the remaining supported ciphers I have TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA.

When I use sslscan from the Linux command line it reports that the latter is the "preferrred server cipher". When I connect to the server with Chromium it also selects this cipher and reports "obsolete encryption". If I disable this cipher Chrome selects the first one and does not complain about obsolete encryption. But without the latter cipher there are too many (older) browsers that can not establish an SSL connection.

How can I influence what clients conceive as being a preference for specific ciphers over other ones?

Thanks,

Silvio