undertow-io · HliasMpGH · Sep 8, 2025
diff --git a/core/src/main/java/io/undertow/UndertowOptions.java b/core/src/main/java/io/undertow/UndertowOptions.java
@@ -374,9 +374,15 @@ public class UndertowOptions {
 
     /**
      * If the SSLEngine should prefer the servers cipher version. Only applicable on JDK8+.
+     * Defaults to {@link #DEFAULT_SSL_USER_CIPHER_SUITES_ORDER}.
      */
     public static final Option<Boolean> SSL_USER_CIPHER_SUITES_ORDER = Option.simple(UndertowOptions.class, "SSL_USER_CIPHER_SUITES_ORDER", Boolean.class);
 
+    /**
+     * Default value of {@link #SSL_USER_CIPHER_SUITES_ORDER} option.
+     */
+    public static final boolean DEFAULT_SSL_USER_CIPHER_SUITES_ORDER = false;
+
     /**
      * This option forces {@link io.undertow.protocols.ssl.UndertowXnioSsl} to use a specific
      * name as the {@link javax.net.ssl.SNIHostName} for a client connection. If the option is

diff --git a/core/src/main/java/io/undertow/protocols/ssl/UndertowAcceptingSslChannel.java b/core/src/main/java/io/undertow/protocols/ssl/UndertowAcceptingSslChannel.java
@@ -95,7 +95,7 @@ class UndertowAcceptingSslChannel implements AcceptingChannel<SslConnection> {
         closeSetter = ChannelListeners.<AcceptingChannel<SslConnection>>getDelegatingSetter(tcpServer.getCloseSetter(), this);
         //noinspection ThisEscapedInObjectConstruction
         acceptSetter = ChannelListeners.<AcceptingChannel<SslConnection>>getDelegatingSetter(tcpServer.getAcceptSetter(), this);
-        useCipherSuitesOrder = optionMap.get(UndertowOptions.SSL_USER_CIPHER_SUITES_ORDER, false);
+        useCipherSuitesOrder = optionMap.get(UndertowOptions.SSL_USER_CIPHER_SUITES_ORDER, UndertowOptions.DEFAULT_SSL_USER_CIPHER_SUITES_ORDER);
     }
 
     private static final Set<Option<?>> SUPPORTED_OPTIONS = Option.setBuilder()

diff --git a/core/src/main/java/io/undertow/protocols/ssl/UndertowXnioSsl.java b/core/src/main/java/io/undertow/protocols/ssl/UndertowXnioSsl.java
@@ -317,7 +317,7 @@ private static SSLEngine createSSLEngine(SSLContext sslContext, OptionMap option
                 }
             }
         }
-        boolean useCipherSuitesOrder = optionMap.get(UndertowOptions.SSL_USER_CIPHER_SUITES_ORDER, false);
+        boolean useCipherSuitesOrder = optionMap.get(UndertowOptions.SSL_USER_CIPHER_SUITES_ORDER, UndertowOptions.DEFAULT_SSL_USER_CIPHER_SUITES_ORDER);
         if (useCipherSuitesOrder) {
             SSLParameters sslParameters = engine.getSSLParameters();
             sslParameters.setUseCipherSuitesOrder(true);