Re: RFR: 8272875: Change the default key manager to PKIX [v2]

Thu, 24 Apr 2025 11:30:45 -0700 

> The current key manager is SunX509, which is configured in the java.security. 
> The SunX509 algorithm does not check the local certificate. The PKIX 
> algorithm should be preferred now so that the default key manager could be 
> more robust.
> 
> Compatibility considerations:
> 
> 1) Customers using local certificates signed using algorithms prohibited by 
> the default configuration (notably MD5 and SHA1) no longer will be able to 
> use such certificates without modifying algorithm constraints in 
> `java.security` config file.
> 
> 2) Performance impact: there is about x2 performance decrease for full 
> (non-resume) TLS handshake:
> 
> **SUNX509**
> Benchmark                                    (resume)  (tlsVersion)   Mode  
> Cnt      Score     Error  Units
> SSLHandshake.doHandshake      true       TLSv1.2  thrpt   15  19758.012 ± 
> 758.237  ops/s
> SSLHandshake.doHandshake      true           TLS  thrpt   15   1861.695 ±  
> 14.681  ops/s
> SSLHandshake.doHandshake     false       TLSv1.2  thrpt   15   **1186.962** ± 
>  12.085  ops/s
> SSLHandshake.doHandshake     false           TLS  thrpt   15   **1056.288** ± 
>   7.197  ops/s
> Finished running test 'micro:java.security.SSLHandshake'
> 
> **PKIX**
> Benchmark                                   (resume)  (tlsVersion)   Mode  
> Cnt      Score     Error  Units
> SSLHandshake.doHandshake      true       TLSv1.2  thrpt   15  19724.887 ± 
> 393.636  ops/s
> SSLHandshake.doHandshake      true           TLS  thrpt   15   1848.927 ±  
> 22.946  ops/s
> SSLHandshake.doHandshake     false       TLSv1.2  thrpt   15    **511.684** ± 
>   5.405  ops/s
> SSLHandshake.doHandshake     false           TLS  thrpt   15    **490.698** ± 
>   6.453  ops/s
> Finished running test 'micro:java.security.SSLHandshake'

Artur Barashev has updated the pull request incrementally with one additional 
commit since the last revision:

  Skip explicit KeyPair initialization and let the provider default set it

-------------

Changes:
  - all: https://git.openjdk.org/jdk/pull/24756/files
  - new: https://git.openjdk.org/jdk/pull/24756/files/19a2ad1d..e5e83514

Webrevs:
 - full: https://webrevs.openjdk.org/?repo=jdk&pr=24756&range=01
 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=24756&range=00-01

  Stats: 1 line in 1 file changed: 0 ins; 1 del; 0 mod
  Patch: https://git.openjdk.org/jdk/pull/24756.diff
  Fetch: git fetch https://git.openjdk.org/jdk.git pull/24756/head:pull/24756

PR: https://git.openjdk.org/jdk/pull/24756

Reply via email to