RFR 8223482: Unsupported ciphersuites may be offered by a TLS client
Martin Balao
mbalao at redhat.com
Thu May 16 17:31:20 UTC 2019
Hi Xuelei,
Thanks for your feedback.
We can move the supported ciphersuites check to
SSLContextImpl.getApplicableCipherSuites method and affect the default
list of enabled ciphersuites only. This list is set in SSLContextImpl
initialization time, so the performance is not impacted. On the other
hand, there are a couple of limitations: 1) if the user explicitly sets
the list of enabled ciphersuites (by calling
SSLSocket/SSLEngine.setEnabledCipherSuites), that overwrites the default
list; and 2) if there are changes in the list of enabled security
providers after SSLContextImpl is initialized, they won't be considered.
I believe we can live with both limitations -and there is an improvement
over not checking at all-, and remove the check from
HandshakeContext.getActiveCipherSuites which was causing performance
impact as it was executed per handshake negotiation.
Here it's Webrev.01:
* http://cr.openjdk.java.net/~mbalao/webrevs/8223482/8223482.webrev.01/
Benchmarks for Webrev.01:
* http://cr.openjdk.java.net/~mbalao/webrevs/8223482/benchmark_results_v1
Benchmarks summary:
WITH Webrev.00:
Benchmark (testMode) Mode Cnt
Score Error Units
SupportedCiphersuites.test_TLS12Communication FIPS thrpt 10
202.215 ± 3.343 ops/s
SupportedCiphersuites.test_TLS12Communication NON_FIPS thrpt 10
428.161 ± 11.767 ops/s
WITH Webrev.01:
Benchmark (testMode) Mode Cnt
Score Error Units
SupportedCiphersuites.test_TLS12Communication FIPS thrpt 10
214.637 ± 1.756 ops/s
SupportedCiphersuites.test_TLS12Communication NON_FIPS thrpt 10
619.737 ± 10.942 ops/s
WITHOUT Webrev.01:
Benchmark (testMode) Mode Cnt
Score Error Units
SupportedCiphersuites.test_TLS12Communication FIPS thrpt 10
199.620 ± 3.795 ops/s
SupportedCiphersuites.test_TLS12Communication NON_FIPS thrpt 10
592.222 ± 15.944 ops/s
Thoughts?
Thanks,
Martin.-
More information about the security-dev
mailing list