RFR 8223482: Unsupported ciphersuites may be offered by a TLS client

Xuelei Fan xuelei.fan at oracle.com
Wed May 15 17:52:17 UTC 2019


Thanks for the benchmarking.  Let's see if the impact could be minimized.

Xuelei

On 5/15/2019 10:30 AM, Martin Balao wrote:
> Hi Xuelei,
> 
> I've developed a JMH benchmark to measure the impact of Webrev.00 for
> 8223482.
> 
> This benchmark measures TLS renegotiations on FIPS (SunPKCS11 + NSS +
> FIPS) and NON-FIPS (all security providers enabled) TLS 1.2 scenarios.
> 
> WITHOUT 8223482 FIX
> ============================================================
> 
> Benchmark                                      (testMode)   Mode  Cnt
>   Score    Error  Units
> SupportedCiphersuites.test_TLS12Communication        FIPS  thrpt   10
> 199.620 ±  3.795  ops/s
> SupportedCiphersuites.test_TLS12Communication    NON_FIPS  thrpt   10
> 592.222 ± 15.944  ops/s
> 
> WITH 8223482 FIX (Webrev.00)
> ============================================================
> 
> Benchmark                                      (testMode)   Mode  Cnt
>   Score    Error  Units
> SupportedCiphersuites.test_TLS12Communication        FIPS  thrpt   10
> 202.215 ±  3.343  ops/s
> SupportedCiphersuites.test_TLS12Communication    NON_FIPS  thrpt   10
> 428.161 ± 11.767  ops/s
> 
> 
> More information:
> 
>   * Full results:
> http://cr.openjdk.java.net/~mbalao/webrevs/8223482/benchmark_results_v0
>   * Benchmark code:
> http://cr.openjdk.java.net/~mbalao/webrevs/8223482/ciphersuites_benchmark_v0.tar.gz
> 
> There is a performance penalty of ~28% in NON-FIPS mode. I think I can
> improve this number, with some trade-offs. Keep you posted.
> 
> Thanks,
> Martin.-
> 



More information about the security-dev mailing list