Re: RFR 8223482: Unsupported ciphersuites may be offered by a TLS client

Mon, 20 May 2019 08:36:32 -0700 

On 5/16/2019 10:31 AM, Martin Balao wrote:

Hi Xuelei,

Thanks for your feedback.

We can move the supported ciphersuites check to
SSLContextImpl.getApplicableCipherSuites method and affect the default
list of enabled ciphersuites only. This list is set in SSLContextImpl
initialization time, so the performance is not impacted.
It is out of my expectation. However, SSLContextImpl initialization is an impact point we may want to consider (i.e., the loading performance impact). For better understanding, would you mind describe what performance you are testing for? Or the logic for the benchmark bellow?
I appreciate if you could benchmark the SSLContext loading performance also well. 

Thanks,
Xuelei



On the other
hand, there are a couple of limitations: 1) if the user explicitly sets
the list of enabled ciphersuites (by calling
SSLSocket/SSLEngine.setEnabledCipherSuites), that overwrites the default
list; and 2) if there are changes in the list of enabled security
providers after SSLContextImpl is initialized, they won't be considered.
I believe we can live with both limitations -and there is an improvement
over not checking at all-, and remove the check from
HandshakeContext.getActiveCipherSuites which was causing performance
impact as it was executed per handshake negotiation.

Here it's Webrev.01:

  * http://cr.openjdk.java.net/~mbalao/webrevs/8223482/8223482.webrev.01/

Benchmarks for Webrev.01:

  * http://cr.openjdk.java.net/~mbalao/webrevs/8223482/benchmark_results_v1

Benchmarks summary:

WITH Webrev.00:

Benchmark                                      (testMode)   Mode  Cnt
  Score    Error  Units
SupportedCiphersuites.test_TLS12Communication        FIPS  thrpt   10
202.215 ±  3.343  ops/s
SupportedCiphersuites.test_TLS12Communication    NON_FIPS  thrpt   10
428.161 ± 11.767  ops/s

WITH Webrev.01:

Benchmark                                      (testMode)   Mode  Cnt
  Score    Error  Units
SupportedCiphersuites.test_TLS12Communication        FIPS  thrpt   10
214.637 ±  1.756  ops/s
SupportedCiphersuites.test_TLS12Communication    NON_FIPS  thrpt   10
619.737 ± 10.942  ops/s

WITHOUT Webrev.01:

Benchmark                                      (testMode)   Mode  Cnt
  Score    Error  Units
SupportedCiphersuites.test_TLS12Communication        FIPS  thrpt   10
199.620 ±  3.795  ops/s
SupportedCiphersuites.test_TLS12Communication    NON_FIPS  thrpt   10
592.222 ± 15.944  ops/s

Thoughts?

Thanks,
Martin.-

Reply via email to