RFR: 8371333: Optimize static initialization of SSLContextImpl classes and improve logging

Sean Coffey coffeys at openjdk.org
Wed Nov 26 16:06:46 UTC 2025 

Introduce lazy static initialization logic to SSLContextImpl via use of the new LazyConstant API and improve logging output

As per JBS comments:

* Each subclass of AbstractTLSContext (TLSv10. TLSv11 etc) is being initialization at framework initialization time due to the getApplicableSupportedCipherSuites(..) calls made in static block. Such calls are unnecessary if the subclass isn't required. This is especially true for the default JDK configuration where TLSv10, TLSv11 protocols are disabled. I've moved logic to lazy initialization of these fields via LazyConstant

* The debug prints output never made clear what protocol version each cipher suite was being disabled for. Improved logging there
* The debug prints never printed out the resulting set of enabled/allowed cipher suites

There's efficiency gain also in having one less call to the getApplicableEnabledCipherSuites method in the scenario where customized cipher suites are not in use.

example of new debug output:


javax.net.ssl|TRACE|30|main|2025-11-26 14:31:31.997 GMT|SSLContextImpl.java:425|Ignore disabled cipher suites for protocols:[TLSv1.3, TLSv1.2]
[TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA]
javax.net.ssl|TRACE|30|main|2025-11-26 14:31:31.997 GMT|SSLContextImpl.java:425|Available cipher suites for protocols:[TLSv1.3, TLSv1.2]
[TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV]


Debug output for less informative logging in the past consumed about 230 lines of output. Example output below

javax.net.ssl|TRACE|30|main|2025-11-05 11:40:31.431 GMT|SSLContextImpl.java:397|Ignore unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
javax.net.ssl|DEBUG|30|main|2025-11-05 11:40:31.431 GMT|SSLContextImpl.java:388|Ignore disabled cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
javax.net.ssl|TRACE|30|main|2025-11-05 11:40:31.431 GMT|SSLContextImpl.java:397|Ignore unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
javax.net.ssl|DEBUG|30|main|2025-11-05 11:40:31.432 GMT|SSLContextImpl.java:388|Ignore disabled cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA

e.g.

-------------

Commit messages:
 - use LINE_SEP
 - 8371333

Changes: https://git.openjdk.org/jdk/pull/28511/files
  Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=28511&range=00
  Issue: https://bugs.openjdk.org/browse/JDK-8371333
  Stats: 117 lines in 2 files changed: 86 ins; 19 del; 12 mod
  Patch: https://git.openjdk.org/jdk/pull/28511.diff
  Fetch: git fetch https://git.openjdk.org/jdk.git pull/28511/head:pull/28511

PR: https://git.openjdk.org/jdk/pull/28511

More information about the security-dev mailing list