-
Notifications
You must be signed in to change notification settings - Fork 24.6k
-
Notifications
You must be signed in to change notification settings - Fork 24.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add AES-GCM cipher to default SSL suites #29695
Comments
Original comment by @rmuir: There can be serious performance issues with java 8. The intrinsics are only being added to java 9. Without the improved support, the performance is so bad that its essentially unusable. We are talking about bandwidth in KB/s or single MB/s even with large blocksizes. See LINK REDACTED for more information. |
Original comment by @rmuir: Yeah and we should keep an eye on stuff like LINK REDACTED ... the intrinsics currently sit broken on skylake for months with low priority... |
Original comment by @rmuir: Looks like java 9 will get delayed 6 months, we may want to rethink this one. An intermediate solution is to see if the current speed is usable on java 8 update 60 and above (see LINK REDACTED). If we can ensure we use large block size, the combination may be reasonable. Still, I am not sure about about defaults, we would want to maybe check the jvm version or something? cc @jasontedor |
Original comment by @bizybot: Both issues that were stalling the progress, have been resolved. |
Looks like https://bugs.openjdk.java.net/browse/JDK-8129238 is backported to Java 8 ( since 8u60 ) and that gives a significant performance boost, not sure if this is enough to motivate us adding AES-GCM to the default supported ciphers in 7.x even when running with < Java 11 |
This issue should be considered resolved IMO since we support these ciphers running on JDK 11+ since #42082 in 7.x. Regarding support for older JDKs like 8, I think it is worth considering but proper detection of the true hardware acceleration might be a bit tricky due to the fact that OpenJDK and Oracle JDK actually differ in this intrinsic support for 8u, see https://mail.openjdk.java.net/pipermail/jdk8u-dev/2019-November/010630.html and https://bugs.openjdk.java.net/browse/JDK-8129238. @jkakavas are you ok with closing this issue and possibly opening a new one for support on pre-11 JDKs? |
Original comment by @jaymode:
The AES-GCM cipher is a AEAD cipher that is available in JDK 8 and has intrinsics in the OpenJDK and Oracle VM. We should add this cipher to the list of supported ciphers in master and start testing with it.
In the past, there have been issues with this cipher being used for LDAP communication with Active Directory. We'll want to keep an eye out for this.
The text was updated successfully, but these errors were encountered: