Re: RFR: 8272875: Change the default key manager to PKIX [v3]

Tue, 29 Apr 2025 23:21:22 -0700 

On Tue, 29 Apr 2025 21:51:00 GMT, Artur Barashev <abaras...@openjdk.org> wrote:

>> The current key manager is SunX509, which is configured in the 
>> java.security. The SunX509 algorithm does not check the local certificate. 
>> The PKIX algorithm should be preferred now so that the default key manager 
>> could be more robust.
>> 
>> Compatibility considerations:
>> 
>> 1) Customers using local certificates signed using algorithms prohibited by 
>> the default configuration (notably MD5 and SHA1) no longer will be able to 
>> use such certificates without modifying algorithm constraints in 
>> `java.security` config file.
>> 
>> 2) Performance impact: there is about x2 performance decrease for full 
>> (non-resume) TLS handshake:
>> 
>> **SUNX509**
>> Benchmark                                    (resume)  (tlsVersion)   Mode  
>> Cnt      Score     Error  Units
>> SSLHandshake.doHandshake      true       TLSv1.2  thrpt   15  19758.012 ± 
>> 758.237  ops/s
>> SSLHandshake.doHandshake      true           TLS  thrpt   15   1861.695 ±  
>> 14.681  ops/s
>> SSLHandshake.doHandshake     false       TLSv1.2  thrpt   15   **1186.962** 
>> ±  12.085  ops/s
>> SSLHandshake.doHandshake     false           TLS  thrpt   15   **1056.288** 
>> ±   7.197  ops/s
>> Finished running test 'micro:java.security.SSLHandshake'
>> 
>> **PKIX**
>> Benchmark                                   (resume)  (tlsVersion)   Mode  
>> Cnt      Score     Error  Units
>> SSLHandshake.doHandshake      true       TLSv1.2  thrpt   15  19724.887 ± 
>> 393.636  ops/s
>> SSLHandshake.doHandshake      true           TLS  thrpt   15   1848.927 ±  
>> 22.946  ops/s
>> SSLHandshake.doHandshake     false       TLSv1.2  thrpt   15    **511.684** 
>> ±   5.405  ops/s
>> SSLHandshake.doHandshake     false           TLS  thrpt   15    **490.698** 
>> ±   6.453  ops/s
>> Finished running test 'micro:java.security.SSLHandshake'
>
> Artur Barashev has updated the pull request incrementally with one additional 
> commit since the last revision:
> 
>   Address review comments

This slowdown is seen in the real world. It is concerning, but not easily 
fixable.

I am not in the TLS server business at the moment, but the cases I used to work 
with [*] were perfectly well served by SunX509, so I guess some users will just 
keep using that. The fix for the PKIX+PKCS12 speed is not exactly easy. The 
options we explored were either incompatible with the existing implementation, 
or introduced subtle bugs in some corner cases.

[*] The servers I used to work with had either only one certificate, or one RSA 
and one EC certificate. We had to manually disable the TLS_RSA and TLS_ECDH 
ciphers, but these are disabled by default today. SunX509 serves that situation 
pretty well.

-------------

PR Comment: https://git.openjdk.org/jdk/pull/24756#issuecomment-2840918307

Reply via email to