Re: RFR: 8272875: Change the default key manager to PKIX [v2]

Tue, 29 Apr 2025 13:02:48 -0700 

On Thu, 24 Apr 2025 18:30:00 GMT, Artur Barashev <[email protected]> wrote:

>> The current key manager is SunX509, which is configured in the 
>> java.security. The SunX509 algorithm does not check the local certificate. 
>> The PKIX algorithm should be preferred now so that the default key manager 
>> could be more robust.
>> 
>> Compatibility considerations:
>> 
>> 1) Customers using local certificates signed using algorithms prohibited by 
>> the default configuration (notably MD5 and SHA1) no longer will be able to 
>> use such certificates without modifying algorithm constraints in 
>> `java.security` config file.
>> 
>> 2) Performance impact: there is about x2 performance decrease for full 
>> (non-resume) TLS handshake:
>> 
>> **SUNX509**
>> Benchmark                                    (resume)  (tlsVersion)   Mode  
>> Cnt      Score     Error  Units
>> SSLHandshake.doHandshake      true       TLSv1.2  thrpt   15  19758.012 ± 
>> 758.237  ops/s
>> SSLHandshake.doHandshake      true           TLS  thrpt   15   1861.695 ±  
>> 14.681  ops/s
>> SSLHandshake.doHandshake     false       TLSv1.2  thrpt   15   **1186.962** 
>> ±  12.085  ops/s
>> SSLHandshake.doHandshake     false           TLS  thrpt   15   **1056.288** 
>> ±   7.197  ops/s
>> Finished running test 'micro:java.security.SSLHandshake'
>> 
>> **PKIX**
>> Benchmark                                   (resume)  (tlsVersion)   Mode  
>> Cnt      Score     Error  Units
>> SSLHandshake.doHandshake      true       TLSv1.2  thrpt   15  19724.887 ± 
>> 393.636  ops/s
>> SSLHandshake.doHandshake      true           TLS  thrpt   15   1848.927 ±  
>> 22.946  ops/s
>> SSLHandshake.doHandshake     false       TLSv1.2  thrpt   15    **511.684** 
>> ±   5.405  ops/s
>> SSLHandshake.doHandshake     false           TLS  thrpt   15    **490.698** 
>> ±   6.453  ops/s
>> Finished running test 'micro:java.security.SSLHandshake'
>
> Artur Barashev has updated the pull request incrementally with one additional 
> commit since the last revision:
> 
>   Skip explicit KeyPair initialization and let the provider default set it

test/jdk/javax/rmi/ssl/SSLSocketParametersTest.java line 52:

> 50: 
> 51: public class SSLSocketParametersTest extends SSLContextTemplate implements
> 52:         Serializable {

As an aside, I can't see any reason this test needs to implement Serializable, 
as nothing in the test depends on it or tests it. I removed it locally and the 
test still passes. Consider removing it as a cleanup (but if you do, run it 
thru mach5 to be safe).

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/24756#discussion_r2067282326

Reply via email to