If I configure JSSE connector (NIO) with JSSE implementation, and explicit JSSE ciphers list, my resulting list of enabled ciphers is ordered differently from what I configured. The reason for that seems to be in method SSLUtilBase.getEnabled which creates list of enabled ciphers like this: enabled.addAll(implemented); enabled.retainAll(configured); Resulting List contains intersection between configured and implemented ciphers, but having the order of implemented ciphers, and that is not what the user wants. I guess, it should keep the order of configured ciphers, like this: enabled.addAll(configured); enabled.retainAll(implemented); Right? The second issue with cipher ordering is that OpenSSLCipherConfigurationParser.parse always returns: return defaultSort(ciphers); I am not sure what's the intention here, because defaultSort method may change user-defined cipher order. My cipher configuration: [TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA] defaultSort(ciphers) changes order to: [TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA] And getEnabled changes order to: [TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
Good catch. I've fixed both those issues for 9.0.x (9.0.0.M4 onwards). 8.0.x is only affected by the defaultSort() issue. that has been fixed for 8.0.33 onwards.