RFR 8223482: Unsupported ciphersuites may be offered by a TLS client
Martin Balao
mbalao at redhat.com
Wed May 15 17:30:13 UTC 2019
Hi Xuelei,
I've developed a JMH benchmark to measure the impact of Webrev.00 for
8223482.
This benchmark measures TLS renegotiations on FIPS (SunPKCS11 + NSS +
FIPS) and NON-FIPS (all security providers enabled) TLS 1.2 scenarios.
WITHOUT 8223482 FIX
============================================================
Benchmark (testMode) Mode Cnt
Score Error Units
SupportedCiphersuites.test_TLS12Communication FIPS thrpt 10
199.620 ± 3.795 ops/s
SupportedCiphersuites.test_TLS12Communication NON_FIPS thrpt 10
592.222 ± 15.944 ops/s
WITH 8223482 FIX (Webrev.00)
============================================================
Benchmark (testMode) Mode Cnt
Score Error Units
SupportedCiphersuites.test_TLS12Communication FIPS thrpt 10
202.215 ± 3.343 ops/s
SupportedCiphersuites.test_TLS12Communication NON_FIPS thrpt 10
428.161 ± 11.767 ops/s
More information:
* Full results:
http://cr.openjdk.java.net/~mbalao/webrevs/8223482/benchmark_results_v0
* Benchmark code:
http://cr.openjdk.java.net/~mbalao/webrevs/8223482/ciphersuites_benchmark_v0.tar.gz
There is a performance penalty of ~28% in NON-FIPS mode. I think I can
improve this number, with some trade-offs. Keep you posted.
Thanks,
Martin.-
More information about the security-dev
mailing list