On Tue, 12 Apr 2022 11:28:12 GMT, Daniel Jeliński <[email protected]> wrote:
> During TLS handshake, hundreds of constraints are evaluated to determine
> which cipher suites are usable. Most of the evaluations are performed using
> `HandshakeContext#algorithmConstraints` object. By default that object
> contains a `SSLAlgorithmConstraints` instance wrapping another
> `SSLAlgorithmConstraints` instance. As a result the constraints defined in
> `SSLAlgorithmConstraints` are evaluated twice.
>
> This PR improves the default case; if the user-specified constraints are left
> at defaults, we use a single `SSLAlgorithmConstraints` instance, and avoid
> duplicate checks.
src/java.base/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java line
73:
> 71:
> 72: static AlgorithmConstraints wrap(AlgorithmConstraints
> userSpecifiedConstraints) {
> 73: if (userSpecifiedConstraints == DEFAULT) {
Just thinking out loud: It seems all this does when `userSpecifiedConstraints`
is a `SSLAlgorithmConstraints` is force the `enableX509..` flag to `true`. So
in addition to the obvious thing for `DEFAULT`, you could also return `DEFAULT`
for `DEFAULT_SSL_ONLY`. Or more generally: if `userSpecifiedConstraints
instanceof SSLAlgorithmConstraints` then you could either return
`userSpecifiedConstraints` as-is if `enabledX509DisabledAlgConstraints` is
`true` or else return a clone of it with `enabledX509DisabledAlgConstraints`
set to `true`.
-------------
PR: https://git.openjdk.java.net/jdk/pull/8199
