RFR: 8341964: Add mechanism to disable different parts of TLS cipher suite
Artur Barashev
abarashev at openjdk.org
Tue Nov 5 14:03:09 UTC 2024
On Sat, 2 Nov 2024 19:48:09 GMT, David Schlosnagle <duke at openjdk.org> wrote:
>> The current syntax of the jdk.tls.disabledAlgorithms makes it difficult to disable algorithms that affect both the key exchange and authentication parts of a TLS cipher suite. For example, if you add "RSA" to the jdk.tls.disabledAlgorithms security property, it disables all cipher suites that use RSA, whether it is for key exchange or authentication. If you only want to disable cipher suites that use RSA for key exchange, the only workaround is to list the whole cipher suite name, so an exact match is done, but if there are many cipher suites that use that key exchange algorithm, this becomes cumbersome.
>
> src/java.base/share/classes/sun/security/util/AbstractAlgorithmConstraints.java line 91:
>
>> 89: // Wild card matching
>> 90: for (String p : algorithms) {
>> 91: if (Pattern.compile(p.replace("*", ".*"), Pattern.CASE_INSENSITIVE)
>
> What is the performance impact of this change in terms of both allocations and duration of compiling and matching this regex on overall handshake?
>
> My sense is that this is going to be very expensive for TLS connection overhead.
Good point, thanks! This is just a proof of concept draft at this point. We'll work on optimization if we decide to go with this design.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/21841#discussion_r1827966575
More information about the security-dev
mailing list