On Sat, 2 Nov 2024 19:48:09 GMT, David Schlosnagle <d...@openjdk.org> wrote:
>> The current syntax of the jdk.tls.disabledAlgorithms makes it difficult to
>> disable algorithms that affect both the key exchange and authentication
>> parts of a TLS cipher suite. For example, if you add "RSA" to the
>> jdk.tls.disabledAlgorithms security property, it disables all cipher suites
>> that use RSA, whether it is for key exchange or authentication. If you only
>> want to disable cipher suites that use RSA for key exchange, the only
>> workaround is to list the whole cipher suite name, so an exact match is
>> done, but if there are many cipher suites that use that key exchange
>> algorithm, this becomes cumbersome.
>
> src/java.base/share/classes/sun/security/util/AbstractAlgorithmConstraints.java
> line 91:
>
>> 89: // Wild card matching
>> 90: for (String p : algorithms) {
>> 91: if (Pattern.compile(p.replace("*", ".*"),
>> Pattern.CASE_INSENSITIVE)
>
> What is the performance impact of this change in terms of both allocations
> and duration of compiling and matching this regex on overall handshake?
>
> My sense is that this is going to be very expensive for TLS connection
> overhead.
Good point, thanks! This is just a proof of concept draft at this point. We'll
work on optimization if we decide to go with this design.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/21841#discussion_r1827966575
