RFR: 8341964: Add mechanism to disable different parts of TLS cipher suite
Artur Barashev
abarashev at openjdk.org
Tue Nov 5 14:03:09 UTC 2024
On Mon, 4 Nov 2024 15:53:21 GMT, Artur Barashev <abarashev at openjdk.org> wrote:
>> src/java.base/share/classes/sun/security/util/AbstractAlgorithmConstraints.java line 91:
>>
>>> 89: // Wild card matching
>>> 90: for (String p : algorithms) {
>>> 91: if (Pattern.compile(p.replace("*", ".*"), Pattern.CASE_INSENSITIVE)
>>
>> What is the performance impact of this change in terms of both allocations and duration of compiling and matching this regex on overall handshake?
>>
>> My sense is that this is going to be very expensive for TLS connection overhead.
>
> Good point, thanks! This is just a proof of concept draft at this point. We'll work on optimization if we decide to go with this design.
`DisabledAlgorithmConstraints` already caches the results of `checkAlgorithm call`, so we should have no performance impact after the 1st handshake.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/21841#discussion_r1829354446
More information about the security-dev
mailing list