On Wed, 13 Apr 2022 06:45:20 GMT, Xue-Lei Andrew Fan <xue...@openjdk.org> wrote:
>> During TLS handshake, hundreds of constraints are evaluated to determine
>> which cipher suites are usable. Most of the evaluations are performed using
>> `HandshakeContext#algorithmConstraints` object. By default that object
>> contains a `SSLAlgorithmConstraints` instance wrapping another
>> `SSLAlgorithmConstraints` instance. As a result the constraints defined in
>> `SSLAlgorithmConstraints` are evaluated twice.
>>
>> This PR improves the default case; if the user-specified constraints are
>> left at defaults, we use a single `SSLAlgorithmConstraints` instance, and
>> avoid duplicate checks.
>
> src/java.base/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java
> line 72:
>
>> 70: }
>> 71:
>> 72: static AlgorithmConstraints wrap(AlgorithmConstraints
>> userSpecifiedConstraints) {
>
> I may update all of the constructors so that the accumulation of the
> reference of userSpecifiedConstraints could be avoid further.
>
>
> - this.userSpecifiedConstraints = userSpecifiedConstraints;
> + this.userSpecifiedConstraints = userSpecifiedConstraints == DEFAULT ?
> + null : userSpecifiedConstraints;
>
>
>
> Similar update could be placed in the getUserSpecifiedConstraints()
> implementation.
Thanks @XueleiFan for the review!
If we do that, this will result in a behavior change for cases where
`enabledX509DisabledAlgConstraints` = false; is that okay? Or should we set
`enabledX509DisabledAlgConstraints` = true if `userSpecifiedConstraints ==
DEFAULT`?
-------------
PR: https://git.openjdk.java.net/jdk/pull/8199
