RFR 8223482: Unsupported ciphersuites may be offered by a TLS client

Xuelei Fan xuelei.fan at oracle.com
Mon May 20 15:35:33 UTC 2019 

On 5/16/2019 10:31 AM, Martin Balao wrote:
> Hi Xuelei,
> 
> Thanks for your feedback.
> 
> We can move the supported ciphersuites check to
> SSLContextImpl.getApplicableCipherSuites method and affect the default
> list of enabled ciphersuites only. This list is set in SSLContextImpl
> initialization time, so the performance is not impacted.
It is out of my expectation. However, SSLContextImpl initialization is 
an impact point we may want to consider (i.e., the loading performance 
impact).  For better understanding, would you mind describe what 
performance you are testing for?  Or the logic for the benchmark bellow?

I appreciate if you could benchmark the SSLContext loading performance 
also well.

Thanks,
Xuelei


> On the other
> hand, there are a couple of limitations: 1) if the user explicitly sets
> the list of enabled ciphersuites (by calling
> SSLSocket/SSLEngine.setEnabledCipherSuites), that overwrites the default
> list; and 2) if there are changes in the list of enabled security
> providers after SSLContextImpl is initialized, they won't be considered.
> I believe we can live with both limitations -and there is an improvement
> over not checking at all-, and remove the check from
> HandshakeContext.getActiveCipherSuites which was causing performance
> impact as it was executed per handshake negotiation.
> 
> Here it's Webrev.01:
> 
>   * http://cr.openjdk.java.net/~mbalao/webrevs/8223482/8223482.webrev.01/
> 
> Benchmarks for Webrev.01:
> 
>   * http://cr.openjdk.java.net/~mbalao/webrevs/8223482/benchmark_results_v1
> 
> Benchmarks summary:
> 
> WITH Webrev.00:
> 
> Benchmark                                      (testMode)   Mode  Cnt
>   Score    Error  Units
> SupportedCiphersuites.test_TLS12Communication        FIPS  thrpt   10
> 202.215 ±  3.343  ops/s
> SupportedCiphersuites.test_TLS12Communication    NON_FIPS  thrpt   10
> 428.161 ± 11.767  ops/s
> 
> WITH Webrev.01:
> 
> Benchmark                                      (testMode)   Mode  Cnt
>   Score    Error  Units
> SupportedCiphersuites.test_TLS12Communication        FIPS  thrpt   10
> 214.637 ±  1.756  ops/s
> SupportedCiphersuites.test_TLS12Communication    NON_FIPS  thrpt   10
> 619.737 ± 10.942  ops/s
> 
> WITHOUT Webrev.01:
> 
> Benchmark                                      (testMode)   Mode  Cnt
>   Score    Error  Units
> SupportedCiphersuites.test_TLS12Communication        FIPS  thrpt   10
> 199.620 ±  3.795  ops/s
> SupportedCiphersuites.test_TLS12Communication    NON_FIPS  thrpt   10
> 592.222 ± 15.944  ops/s
> 
> Thoughts?
> 
> Thanks,
> Martin.-
>

More information about the security-dev mailing list