Hi Xuelei, Thanks for your feedback.
We can move the supported ciphersuites check to SSLContextImpl.getApplicableCipherSuites method and affect the default list of enabled ciphersuites only. This list is set in SSLContextImpl initialization time, so the performance is not impacted. On the other hand, there are a couple of limitations: 1) if the user explicitly sets the list of enabled ciphersuites (by calling SSLSocket/SSLEngine.setEnabledCipherSuites), that overwrites the default list; and 2) if there are changes in the list of enabled security providers after SSLContextImpl is initialized, they won't be considered. I believe we can live with both limitations -and there is an improvement over not checking at all-, and remove the check from HandshakeContext.getActiveCipherSuites which was causing performance impact as it was executed per handshake negotiation. Here it's Webrev.01: * http://cr.openjdk.java.net/~mbalao/webrevs/8223482/8223482.webrev.01/ Benchmarks for Webrev.01: * http://cr.openjdk.java.net/~mbalao/webrevs/8223482/benchmark_results_v1 Benchmarks summary: WITH Webrev.00: Benchmark (testMode) Mode Cnt Score Error Units SupportedCiphersuites.test_TLS12Communication FIPS thrpt 10 202.215 ± 3.343 ops/s SupportedCiphersuites.test_TLS12Communication NON_FIPS thrpt 10 428.161 ± 11.767 ops/s WITH Webrev.01: Benchmark (testMode) Mode Cnt Score Error Units SupportedCiphersuites.test_TLS12Communication FIPS thrpt 10 214.637 ± 1.756 ops/s SupportedCiphersuites.test_TLS12Communication NON_FIPS thrpt 10 619.737 ± 10.942 ops/s WITHOUT Webrev.01: Benchmark (testMode) Mode Cnt Score Error Units SupportedCiphersuites.test_TLS12Communication FIPS thrpt 10 199.620 ± 3.795 ops/s SupportedCiphersuites.test_TLS12Communication NON_FIPS thrpt 10 592.222 ± 15.944 ops/s Thoughts? Thanks, Martin.-