I don't understand how does Java picks the most prefered cipher to use on Server Hello.
I have a Tomcat 5 configuration and I set in the SSL connector the ciphers=TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, etc
Server i.e. Java picks TLS_RSA_WITH_AES_128_CBC_SHA on Server Hello as the prefered among the client's supported. But this is not the most secure and it is not the prefered accoding to http://docs.huihoo.com/java/javase/7/technotes/guides/security/SunProviders.html#SunJSSEProvider which lists that TLS_RSA_WITH_AES_256_CBC_SHA has preference.
Then I thought it was the order in the server.xml attribute that made the difference and I put another cipher first (TLS_DHE_RSA_WITH_AES_256_CBC_SHA) which I see in the Client Hello that it is supported. But this was not selected either and TLS_RSA_WITH_AES_128_CBC_SHA was again selected.
So how does JSSE picks the cipher of preference? Is this documented somewhere? I can not figure out what's going on here.
It doesn't have to. All that RFC 2246 says is "The server will select a cipher suite". Nowhere does it say it will pick the most secure, or indeed anything about how it will make that selection.