From 58faca9e093749ee2c6101ab7b79f21d817d0e52 Mon Sep 17 00:00:00 2001
From: Greg Wilkins <gregw@intalio.com>
Date: Wed, 31 Dec 2014 15:45:08 +0100
Subject: [PATCH] 430951 Improved ordering of SSL ciphers

---
 .../eclipse/jetty/util/ssl/SslContextFactory.java   | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
index 9ed0879499d..79ac67b6c47 100644
--- a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
+++ b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
@@ -41,6 +41,7 @@ import java.util.Collections;
 import java.util.LinkedHashSet;
 import java.util.List;
 import java.util.Set;
+import java.util.concurrent.CopyOnWriteArrayList;
 import java.util.concurrent.CopyOnWriteArraySet;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
@@ -121,7 +122,7 @@ public class SslContextFactory extends AbstractLifeCycle
     /** Excluded cipher suites. */
     private final Set<String> _excludeCipherSuites = new LinkedHashSet<>();
     /** Included cipher suites. */
-    private Set<String> _includeCipherSuites = null;
+    private List<String> _includeCipherSuites = null;
 
     /** Keystore path. */
     private String _keyStorePath;
@@ -428,7 +429,7 @@ public class SslContextFactory extends AbstractLifeCycle
     public void setIncludeCipherSuites(String... cipherSuites)
     {
         checkNotStarted();
-        _includeCipherSuites = new LinkedHashSet<>(Arrays.asList(cipherSuites));
+        _includeCipherSuites = new CopyOnWriteArrayList<>(Arrays.asList(cipherSuites));
     }
 
     /**
@@ -1073,7 +1074,7 @@ public class SslContextFactory extends AbstractLifeCycle
      */
     public String[] selectCipherSuites(String[] enabledCipherSuites, String[] supportedCipherSuites)
     {
-        Set<String> selected_ciphers = new CopyOnWriteArraySet<>();
+        List<String> selected_ciphers = new CopyOnWriteArrayList<>(); // TODO is this the most efficient?
 
         // Set the starting ciphers - either from the included or enabled list
         if (_includeCipherSuites!=null)
@@ -1083,13 +1084,15 @@ public class SslContextFactory extends AbstractLifeCycle
 
         removeExcludedCipherSuites(selected_ciphers);
 
+        // TODO could we cache these results?
         return selected_ciphers.toArray(new String[selected_ciphers.size()]);
     }
 
-    private void processIncludeCipherSuites(String[] supportedCipherSuites, Set<String> selected_ciphers)
+    private void processIncludeCipherSuites(String[] supportedCipherSuites, List<String> selected_ciphers)
     {
         for (String cipherSuite : _includeCipherSuites)
         {
+            // TODO precompile these patterns to make accepting faster
             Pattern p = Pattern.compile(cipherSuite);
             for (String supportedCipherSuite : supportedCipherSuites)
             {
@@ -1100,7 +1103,7 @@ public class SslContextFactory extends AbstractLifeCycle
         }
     }
 
-    private void removeExcludedCipherSuites(Set<String> selected_ciphers)
+    private void removeExcludedCipherSuites(List<String> selected_ciphers)
     {
         for (String excludeCipherSuite : _excludeCipherSuites)
         {