Withdrawn: 8272875: Change the default key manager to PKIX
Artur Barashev
abarashev at openjdk.org
Fri Jun 20 13:42:36 UTC 2025
On Fri, 18 Apr 2025 17:04:56 GMT, Artur Barashev <abarashev at openjdk.org> wrote:
> The current key manager is SunX509, which is configured in the java.security. The SunX509 algorithm does not check the local certificate. The PKIX algorithm should be preferred now so that the default key manager could be more robust.
>
> Compatibility considerations:
>
> 1) Customers using local certificates signed using algorithms prohibited by the default configuration (notably MD5 and SHA1) no longer will be able to use such certificates without modifying algorithm constraints in `java.security` config file.
>
> 2) Performance impact: there is about x2 performance decrease for full (non-resume) TLS handshake:
>
> **SUNX509**
> Benchmark (resume) (tlsVersion) Mode Cnt Score Error Units
> SSLHandshake.doHandshake true TLSv1.2 thrpt 15 19758.012 ± 758.237 ops/s
> SSLHandshake.doHandshake true TLS thrpt 15 1861.695 ± 14.681 ops/s
> SSLHandshake.doHandshake false TLSv1.2 thrpt 15 **1186.962** ± 12.085 ops/s
> SSLHandshake.doHandshake false TLS thrpt 15 **1056.288** ± 7.197 ops/s
> Finished running test 'micro:java.security.SSLHandshake'
>
> **PKIX**
> Benchmark (resume) (tlsVersion) Mode Cnt Score Error Units
> SSLHandshake.doHandshake true TLSv1.2 thrpt 15 19724.887 ± 393.636 ops/s
> SSLHandshake.doHandshake true TLS thrpt 15 1848.927 ± 22.946 ops/s
> SSLHandshake.doHandshake false TLSv1.2 thrpt 15 **511.684** ± 5.405 ops/s
> SSLHandshake.doHandshake false TLS thrpt 15 **490.698** ± 6.453 ops/s
> Finished running test 'micro:java.security.SSLHandshake'
This pull request has been closed without being integrated.
-------------
PR: https://git.openjdk.org/jdk/pull/24756
More information about the net-dev
mailing list