On Wed, 13 Apr 2022 06:45:20 GMT, Xue-Lei Andrew Fan <xue...@openjdk.org> wrote:
>> During TLS handshake, hundreds of constraints are evaluated to determine >> which cipher suites are usable. Most of the evaluations are performed using >> `HandshakeContext#algorithmConstraints` object. By default that object >> contains a `SSLAlgorithmConstraints` instance wrapping another >> `SSLAlgorithmConstraints` instance. As a result the constraints defined in >> `SSLAlgorithmConstraints` are evaluated twice. >> >> This PR improves the default case; if the user-specified constraints are >> left at defaults, we use a single `SSLAlgorithmConstraints` instance, and >> avoid duplicate checks. > > src/java.base/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java > line 72: > >> 70: } >> 71: >> 72: static AlgorithmConstraints wrap(AlgorithmConstraints >> userSpecifiedConstraints) { > > I may update all of the constructors so that the accumulation of the > reference of userSpecifiedConstraints could be avoid further. > > > - this.userSpecifiedConstraints = userSpecifiedConstraints; > + this.userSpecifiedConstraints = userSpecifiedConstraints == DEFAULT ? > + null : userSpecifiedConstraints; > > > > Similar update could be placed in the getUserSpecifiedConstraints() > implementation. Thanks @XueleiFan for the review! If we do that, this will result in a behavior change for cases where `enabledX509DisabledAlgConstraints` = false; is that okay? Or should we set `enabledX509DisabledAlgConstraints` = true if `userSpecifiedConstraints == DEFAULT`? ------------- PR: https://git.openjdk.java.net/jdk/pull/8199