On Tue, 12 Apr 2022 11:28:12 GMT, Daniel Jeliński <djelin...@openjdk.org> wrote:
> During TLS handshake, hundreds of constraints are evaluated to determine
> which cipher suites are usable. Most of the evaluations are performed using
> `HandshakeContext#algorithmConstraints` object. By default that object
> contains a `SSLAlgorithmConstraints` instance wrapping another
> `SSLAlgorithmConstraints` instance. As a result the constraints defined in
> `SSLAlgorithmConstraints` are evaluated twice.
>
> This PR improves the default case; if the user-specified constraints are left
> at defaults, we use a single `SSLAlgorithmConstraints` instance, and avoid
> duplicate checks.
Nice catch. Thank you!
src/java.base/share/classes/sun/security/ssl/HandshakeContext.java line 167:
> 165: this.sslConfig = (SSLConfiguration)conContext.sslConfig.clone();
> 166:
> 167: this.algorithmConstraints = SSLAlgorithmConstraints.wrap(
Maybe, the change could be placed in the SSLAlgorithmConstraints constructors
implementation so that it is easier to avoid this mistake.
src/java.base/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java line
72:
> 70: }
> 71:
> 72: static AlgorithmConstraints wrap(AlgorithmConstraints
> userSpecifiedConstraints) {
I may update all of the constructors so that the accumulation of the reference
of userSpecifiedConstraints could be avoid further.
- this.userSpecifiedConstraints = userSpecifiedConstraints;
+ this.userSpecifiedConstraints = userSpecifiedConstraints == DEFAULT ?
+ null : userSpecifiedConstraints;
Similar update could be placed in the getUserSpecifiedConstraints()
implementation.
-------------
PR: https://git.openjdk.java.net/jdk/pull/8199
