RFR: 8371333: Optimize static initialization of SSLContextImpl classes and improve logging [v7]
Sean Coffey
coffeys at openjdk.org
Tue Feb 24 12:25:56 UTC 2026
> Introduce lazy static initialization logic to SSLContextImpl via use of the new LazyConstant API and improve logging output
>
> As per JBS comments:
>
> * Each subclass of AbstractTLSContext (TLSv10. TLSv11 etc) is being initialization at framework initialization time due to the getApplicableSupportedCipherSuites(..) calls made in static block. Such calls are unnecessary if the subclass isn't required. This is especially true for the default JDK configuration where TLSv10, TLSv11 protocols are disabled. I've moved logic to lazy initialization of these fields via LazyConstant
>
> * The debug prints output never made clear what protocol version each cipher suite was being disabled for. Improved logging there
> * The debug prints never printed out the resulting set of enabled/allowed cipher suites
>
> There's efficiency gain also in having one less call to the getApplicableEnabledCipherSuites method in the scenario where customized cipher suites are not in use.
>
> example of new debug output:
>
>
> javax.net.ssl|TRACE|30|main|2025-11-26 14:31:31.997 GMT|SSLContextImpl.java:425|Ignore disabled cipher suites for protocols:[TLSv1.3, TLSv1.2]
> [TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
> TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
> TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384
> TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA
> TLS_RSA_WITH_AES_128_CBC_SHA]
> javax.net.ssl|TRACE|30|main|2025-11-26 14:31:31.997 GMT|SSLContextImpl.java:425|Available cipher suites for protocols:[TLSv1.3, TLSv1.2]
> [TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
> TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
> TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> TLS_ECDHE_E...
Sean Coffey has updated the pull request incrementally with one additional commit since the last revision:
Remove verbose component from test
-------------
Changes:
- all: https://git.openjdk.org/jdk/pull/28511/files
- new: https://git.openjdk.org/jdk/pull/28511/files/ed4c5687..14086670
Webrevs:
- full: https://webrevs.openjdk.org/?repo=jdk&pr=28511&range=06
- incr: https://webrevs.openjdk.org/?repo=jdk&pr=28511&range=05-06
Stats: 7 lines in 1 file changed: 0 ins; 1 del; 6 mod
Patch: https://git.openjdk.org/jdk/pull/28511.diff
Fetch: git fetch https://git.openjdk.org/jdk.git pull/28511/head:pull/28511
PR: https://git.openjdk.org/jdk/pull/28511
More information about the security-dev
mailing list