SSLSocketFactory provides getDefaultCipherSuites (ciphers that are enabled by default on sockets) and getSupportedCipherSuites (ciphers that can be enabled, if desired).

However, SSLSocketFactory does not offer setEnabledCipherSuites to configure the cipher list once to provide the preference on subsequent sockets.

In fact, I think making setEnabledCipherSuites part of SSLSocket really complicates wok flows. For example, HttpsURLConnection does not provide a getSocket, and it really breaks this flow:

SSLContext context = SSLContext.getInstance("TLS");
context.init(null, trustManager.getTrustManagers(), null);

HttpsURLConnection connection = (HttpsURLConnection) url.openConnection();

I think the same can be said about SSLContext since it has methods like getDefaultSSLParameters and getSupportedSSLParameters.

I’m trying to come up with a sound security engineering reason for the (in)ability, but I can’t. Perhaps there’s a software engineering reason for the decision. (I suspect there’s a good reason, and I lack the insight to see it at the moment).

Why does Java lack the ability to configure the SSLSocketFactory? Its clearly a design decision, and I’m trying to understand why it was made at the expense of security in a relevant portion of the library.