RFR 8223482: Unsupported ciphersuites may be offered by a TLS client

Martin Balao mbalao at redhat.com
Wed May 15 17:30:13 UTC 2019


Hi Xuelei,

I've developed a JMH benchmark to measure the impact of Webrev.00 for
8223482.

This benchmark measures TLS renegotiations on FIPS (SunPKCS11 + NSS +
FIPS) and NON-FIPS (all security providers enabled) TLS 1.2 scenarios.

WITHOUT 8223482 FIX
============================================================

Benchmark                                      (testMode)   Mode  Cnt
 Score    Error  Units
SupportedCiphersuites.test_TLS12Communication        FIPS  thrpt   10
199.620 ±  3.795  ops/s
SupportedCiphersuites.test_TLS12Communication    NON_FIPS  thrpt   10
592.222 ± 15.944  ops/s

WITH 8223482 FIX (Webrev.00)
============================================================

Benchmark                                      (testMode)   Mode  Cnt
 Score    Error  Units
SupportedCiphersuites.test_TLS12Communication        FIPS  thrpt   10
202.215 ±  3.343  ops/s
SupportedCiphersuites.test_TLS12Communication    NON_FIPS  thrpt   10
428.161 ± 11.767  ops/s


More information:

 * Full results:
http://cr.openjdk.java.net/~mbalao/webrevs/8223482/benchmark_results_v0
 * Benchmark code:
http://cr.openjdk.java.net/~mbalao/webrevs/8223482/ciphersuites_benchmark_v0.tar.gz

There is a performance penalty of ~28% in NON-FIPS mode. I think I can
improve this number, with some trade-offs. Keep you posted.

Thanks,
Martin.-


More information about the security-dev mailing list