[jira] [Created] (JAMES-4193) SSL management improvments

Fri, 27 Mar 2026 22:57:34 -0700 

Benoit Tellier created JAMES-4193:
-------------------------------------

             Summary: SSL management improvments
                 Key: JAMES-4193
                 URL: https://issues.apache.org/jira/browse/JAMES-4193
             Project: James Server
          Issue Type: Improvement
            Reporter: Benoit Tellier
         Attachments: Screenshot from 2026-03-28 06-54-41.png

h3. Why? 

On flamegraphs (see attached) I was able to prove James uses up to 15% of its 
applicative CPU doing SSL with JSSE including loads of handshakes which is 
suboptimal

h3. What?

I first want to run a session cache for SSL, allowing reuse and skipping work 
needed upon the handshake.

Second I would like to run a custom implem based on boringssl and 
netty-tcnative (linux only...) in tmail-backend and currently overrides are 
only possible by subclassing. Evolve the Encryption.Factory so that it is 
injected thus axtension could rely on Dependency Injections for overriding it.

h3. How?

h4. Session cache

Conf:

{code:java}
<imapservers>
    <imapserver enabled="true">
        <jmxName>imapserver</jmxName>
        <bind>0.0.0.0:143</bind>
        <connectionBacklog>200</connectionBacklog>
        <tls socketTLS="false" startTLS="true">
            <!-- To create a new keystore execute:
              keytool -genkey -alias james -keyalg RSA -storetype PKCS12 
-keystore /path/to/james/conf/keystore
             -->
            <keystore>file://conf/keystore</keystore>
            <keystoreType>PKCS12</keystoreType>
            <secret>james72laBalle</secret>
            
<provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>

             <sessionCacheSize>1M</sessionCacheSize>
        </tls>
...
{code}


Expected gains: ~50% of these 3%, less object allocations, less latency upon 
connect.

So easy to do that we shall not refrain


h4. Custom encryption layer

{code:java}
public interface Encryption {

    interface Factory {
        Encryption create(SslConfig conf) throws Exception;
    }
{code}

Inject this, no longer hard code it's usage in LegacyJavaEncryptionFactory

Gains: be able to specify our SSL strategy in Twake mail



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to