RFR 8223482: Unsupported ciphersuites may be offered by a TLS client
Xuelei Fan
xuelei.fan at oracle.com
Wed May 15 17:52:17 UTC 2019
Thanks for the benchmarking. Let's see if the impact could be minimized.
Xuelei
On 5/15/2019 10:30 AM, Martin Balao wrote:
> Hi Xuelei,
>
> I've developed a JMH benchmark to measure the impact of Webrev.00 for
> 8223482.
>
> This benchmark measures TLS renegotiations on FIPS (SunPKCS11 + NSS +
> FIPS) and NON-FIPS (all security providers enabled) TLS 1.2 scenarios.
>
> WITHOUT 8223482 FIX
> ============================================================
>
> Benchmark (testMode) Mode Cnt
> Score Error Units
> SupportedCiphersuites.test_TLS12Communication FIPS thrpt 10
> 199.620 ± 3.795 ops/s
> SupportedCiphersuites.test_TLS12Communication NON_FIPS thrpt 10
> 592.222 ± 15.944 ops/s
>
> WITH 8223482 FIX (Webrev.00)
> ============================================================
>
> Benchmark (testMode) Mode Cnt
> Score Error Units
> SupportedCiphersuites.test_TLS12Communication FIPS thrpt 10
> 202.215 ± 3.343 ops/s
> SupportedCiphersuites.test_TLS12Communication NON_FIPS thrpt 10
> 428.161 ± 11.767 ops/s
>
>
> More information:
>
> * Full results:
> http://cr.openjdk.java.net/~mbalao/webrevs/8223482/benchmark_results_v0
> * Benchmark code:
> http://cr.openjdk.java.net/~mbalao/webrevs/8223482/ciphersuites_benchmark_v0.tar.gz
>
> There is a performance penalty of ~28% in NON-FIPS mode. I think I can
> improve this number, with some trade-offs. Keep you posted.
>
> Thanks,
> Martin.-
>
More information about the security-dev
mailing list