On Tue, 12 Apr 2022 11:28:12 GMT, Daniel Jeliński <djelin...@openjdk.org> wrote:
> During TLS handshake, hundreds of constraints are evaluated to determine > which cipher suites are usable. Most of the evaluations are performed using > `HandshakeContext#algorithmConstraints` object. By default that object > contains a `SSLAlgorithmConstraints` instance wrapping another > `SSLAlgorithmConstraints` instance. As a result the constraints defined in > `SSLAlgorithmConstraints` are evaluated twice. > > This PR improves the default case; if the user-specified constraints are left > at defaults, we use a single `SSLAlgorithmConstraints` instance, and avoid > duplicate checks. Nice catch. Thank you! src/java.base/share/classes/sun/security/ssl/HandshakeContext.java line 167: > 165: this.sslConfig = (SSLConfiguration)conContext.sslConfig.clone(); > 166: > 167: this.algorithmConstraints = SSLAlgorithmConstraints.wrap( Maybe, the change could be placed in the SSLAlgorithmConstraints constructors implementation so that it is easier to avoid this mistake. src/java.base/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java line 72: > 70: } > 71: > 72: static AlgorithmConstraints wrap(AlgorithmConstraints > userSpecifiedConstraints) { I may update all of the constructors so that the accumulation of the reference of userSpecifiedConstraints could be avoid further. - this.userSpecifiedConstraints = userSpecifiedConstraints; + this.userSpecifiedConstraints = userSpecifiedConstraints == DEFAULT ? + null : userSpecifiedConstraints; Similar update could be placed in the getUserSpecifiedConstraints() implementation. ------------- PR: https://git.openjdk.java.net/jdk/pull/8199