RFR 8223482: Unsupported ciphersuites may be offered by a TLS client

Martin Balao mbalao at redhat.com
Thu May 16 17:31:20 UTC 2019


Hi Xuelei,

Thanks for your feedback.

We can move the supported ciphersuites check to
SSLContextImpl.getApplicableCipherSuites method and affect the default
list of enabled ciphersuites only. This list is set in SSLContextImpl
initialization time, so the performance is not impacted. On the other
hand, there are a couple of limitations: 1) if the user explicitly sets
the list of enabled ciphersuites (by calling
SSLSocket/SSLEngine.setEnabledCipherSuites), that overwrites the default
list; and 2) if there are changes in the list of enabled security
providers after SSLContextImpl is initialized, they won't be considered.
I believe we can live with both limitations -and there is an improvement
over not checking at all-, and remove the check from
HandshakeContext.getActiveCipherSuites which was causing performance
impact as it was executed per handshake negotiation.

Here it's Webrev.01:

 * http://cr.openjdk.java.net/~mbalao/webrevs/8223482/8223482.webrev.01/

Benchmarks for Webrev.01:

 * http://cr.openjdk.java.net/~mbalao/webrevs/8223482/benchmark_results_v1

Benchmarks summary:

WITH Webrev.00:

Benchmark                                      (testMode)   Mode  Cnt
 Score    Error  Units
SupportedCiphersuites.test_TLS12Communication        FIPS  thrpt   10
202.215 ±  3.343  ops/s
SupportedCiphersuites.test_TLS12Communication    NON_FIPS  thrpt   10
428.161 ± 11.767  ops/s

WITH Webrev.01:

Benchmark                                      (testMode)   Mode  Cnt
 Score    Error  Units
SupportedCiphersuites.test_TLS12Communication        FIPS  thrpt   10
214.637 ±  1.756  ops/s
SupportedCiphersuites.test_TLS12Communication    NON_FIPS  thrpt   10
619.737 ± 10.942  ops/s

WITHOUT Webrev.01:

Benchmark                                      (testMode)   Mode  Cnt
 Score    Error  Units
SupportedCiphersuites.test_TLS12Communication        FIPS  thrpt   10
199.620 ±  3.795  ops/s
SupportedCiphersuites.test_TLS12Communication    NON_FIPS  thrpt   10
592.222 ± 15.944  ops/s

Thoughts?

Thanks,
Martin.-


More information about the security-dev mailing list