RFR: 8272875: Change the default key manager to PKIX [v3]

Artur Barashev abarashev at openjdk.org
Wed Apr 30 16:46:48 UTC 2025 

On Tue, 29 Apr 2025 21:51:00 GMT, Artur Barashev <abarashev at openjdk.org> wrote:

>> The current key manager is SunX509, which is configured in the java.security. The SunX509 algorithm does not check the local certificate. The PKIX algorithm should be preferred now so that the default key manager could be more robust.
>> 
>> Compatibility considerations:
>> 
>> 1) Customers using local certificates signed using algorithms prohibited by the default configuration (notably MD5 and SHA1) no longer will be able to use such certificates without modifying algorithm constraints in `java.security` config file.
>> 
>> 2) Performance impact: there is about x2 performance decrease for full (non-resume) TLS handshake:
>> 
>> **SUNX509**
>> Benchmark                                    (resume)  (tlsVersion)   Mode  Cnt      Score     Error  Units
>> SSLHandshake.doHandshake      true       TLSv1.2  thrpt   15  19758.012 ± 758.237  ops/s
>> SSLHandshake.doHandshake      true           TLS  thrpt   15   1861.695 ±  14.681  ops/s
>> SSLHandshake.doHandshake     false       TLSv1.2  thrpt   15   **1186.962** ±  12.085  ops/s
>> SSLHandshake.doHandshake     false           TLS  thrpt   15   **1056.288** ±   7.197  ops/s
>> Finished running test 'micro:java.security.SSLHandshake'
>> 
>> **PKIX**
>> Benchmark                                   (resume)  (tlsVersion)   Mode  Cnt      Score     Error  Units
>> SSLHandshake.doHandshake      true       TLSv1.2  thrpt   15  19724.887 ± 393.636  ops/s
>> SSLHandshake.doHandshake      true           TLS  thrpt   15   1848.927 ±  22.946  ops/s
>> SSLHandshake.doHandshake     false       TLSv1.2  thrpt   15    **511.684** ±   5.405  ops/s
>> SSLHandshake.doHandshake     false           TLS  thrpt   15    **490.698** ±   6.453  ops/s
>> Finished running test 'micro:java.security.SSLHandshake'
>
> Artur Barashev has updated the pull request incrementally with one additional commit since the last revision:
> 
>   Address review comments

I have a few points for making the change:

1. On my laptop the handshake time increased from 1ms to 2ms. So while it's a x2 increase it's not going to be noticeable.
2. I'm not 100% sure, but from what I read at least the half of the TLS connections these days are of resume type, and the performance for those is unchanged. Here is a good article from CloudFlare on this topic: https://blog.cloudflare.com/tls-session-resumption-full-speed-and-secure. They set session ticket lifetime to 18h.
3. Unlike SunX509, PKIX KeyManager checks local certificate signature algorithms against local algorithm constraints and also against peer-supported algorithms supplied by the peer. So technically we are in violation of TLSv1.3 RFC when using SunX509 because we ignore peer-supported certificate signature schemes. Also we don't respect our own algorithm constraints in `java.security` for local certificates which is the behavior users may expect.

-------------

PR Comment: https://git.openjdk.org/jdk/pull/24756#issuecomment-2842610353

More information about the net-dev mailing list