TLS full handshake is slow with PKCS12KeyStore and X509KeyManagerImpl

XMLWordPrintable

    • Type: Enhancement
    • Resolution: Unresolved
    • Priority: P3
    • None
    • Affects Version/s: None
    • Component/s: security-libs

      If JMH test java/security/SSLHandshake.java uses PKCS12 keystore and PKIX KeyManagerFactory, the throughputs on TLS full handshake are much slower.

      1. KeyStore: JKS, KeyManagerFactory: SunX509
      Benchmark (resume) (tlsVersion) Mode Cnt Score Error Units
      SSLHandshake.doHandshake true TLSv1.2 thrpt 15 6950.013 ? 704.233 ops/s
      SSLHandshake.doHandshake true TLS thrpt 15 862.246 ? 35.570 ops/s
      SSLHandshake.doHandshake false TLSv1.2 thrpt 15 576.458 ? 17.235 ops/s
      SSLHandshake.doHandshake false TLS thrpt 15 502.704 ? 14.180 ops/s

      2. KeyStore: PKCS12, KeyManagerFactory: PKIX
      Benchmark (resume) (tlsVersion) Mode Cnt Score Error Units
      SSLHandshake.doHandshake true TLSv1.2 thrpt 15 8759.169 ? 332.370 ops/s
      SSLHandshake.doHandshake true TLS thrpt 15 864.751 ? 30.114 ops/s
      SSLHandshake.doHandshake false TLSv1.2 thrpt 15 96.037 ? 4.704 ops/s
      SSLHandshake.doHandshake false TLS thrpt 15 92.632 ? 3.235 ops/s

      The combination FullHandshake+JKS+SunX509 is 4+ times faster than the combination FullHandshake+PKCS12+PKIX.

        1. flame-cpu-forward.html
          199 kB

            Assignee:
            Haimay Chao
            Reporter:
            John Jiang
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: