JDK-8022063 : SSLContext createSSLEngine takes 5+ seconds to complete
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 7u13
  • Priority: P4
  • Status: Closed
  • Resolution: Cannot Reproduce
  • OS: os_x
  • Submitted: 2013-02-07
  • Updated: 2019-02-01
  • Resolved: 2019-02-01
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Other
tbdResolved
Related Reports
Duplicate :  
JDK-8038277 - Improve the bootstrap performance of cacerts keystore
Relates :  
JDK-8038277 - Improve the bootstrap performance of cacerts keystore
Relates :  
JDK-8023983 - SHA2 calculation extremely slow under unknown conditions
Description
FULL PRODUCT VERSION :
java version  " 1.7.0_13 " 
Java(TM) SE Runtime Environment (build 1.7.0_13-b20)
Java HotSpot(TM) 64-Bit Server VM (build 23.7-b01, mixed mode)


ADDITIONAL OS VERSION INFORMATION :
Darwin mac-mini-2.fineline.local 12.2.0 Darwin Kernel Version 12.2.0: Sat Aug 25 00:48:52 PDT 2012; root:xnu-2050.18.24~1/RELEASE_X86_64 x86_64

A DESCRIPTION OF THE PROBLEM :
SSLContext.createSSLEngine appears to be really slow on OS X with JDK 7.  I was able to trace it down to the loading of the export restrictions in JceSecurity.  The first time it executes the JarVerifier.verifyPolicySigned it is really slow.

I tested on linux and it does not exhibit this behavior and neither does the Apple JDK 6.

REGRESSION.  Last worked in version 6u31

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Run the Test main method in the source code.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The execution should be under 500ms based on results from jdk 6 and linux with jdk 7.
ACTUAL -
The execution took 5236ms.

REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
import javax.net.ssl.SSLContext;
import java.security.NoSuchAlgorithmException;

public class Test {
    public static void main(String[] args) throws NoSuchAlgorithmException {
        long start = System.currentTimeMillis();
        SSLContext.getDefault().createSSLEngine();
        System.out.println((System.currentTimeMillis() - start));
    }
}

---------- END SOURCE ----------
Comments
Just verified the run time of the reproducer with the latest update releases, and could not observe any slowdown. Closing the issue as "Cannot reproduce". bash-3.2$ /Users/igerasim/java7/jdk/Contents/Home/bin/java -showversion Test java version "1.7.0_221-ea" Java(TM) SE Runtime Environment (build 1.7.0_221-ea-b02) Java HotSpot(TM) 64-Bit Server VM (build 24.221-b02, mixed mode) 428 bash-3.2$ /Users/igerasim/java8/jdk/Contents/Home/bin/java -showversion Test java version "1.8.0_212-ea" Java(TM) SE Runtime Environment (build 1.8.0_212-ea-b03) Java HotSpot(TM) 64-Bit Server VM (build 25.212-b03, mixed mode) 299
01-02-2019
Looks related to JDK-8023983, as there sun.security.provider.SHA2.lf_S() was also reported to work slow in some circumstances.
16-06-2016
Re-open for JDK 8, "Something about the SHA-verification is definitely a problem here." [Bradford Wetmore]
09-09-2015
9-na since we change JCE jars to unsigned. The bootstrap performance of cacerts keystore will be addressed in JDK-8038277. Will not consider fix of this bug.
09-09-2015
After we change JCE jars to unsigned in jdk9, a single shot of creating something costs now full cacerts single-entry cacerts sslcontext 73ms 30ms sslengine 126ms 82ms
04-12-2014
JarVerifier impact the performance significantly. Especially in JDK 8, SHA2 need took 90+% CPU time in the following simple code: SSLContext.getDefault().createSSLEngine(); Maybe a performance regression because of the use of SHA-2. CPU TIME (ms) BEGIN (total = 135029540) Wed May 7 12:06:51 2014 rank self accum count trace method 1 18.15% 18.15% 15302 306233 sun.security.provider.SHA2.implCompress 2 12.14% 30.29% 979328 306231 sun.security.provider.SHA2.lf_sigma0 3 12.14% 42.42% 979328 306228 sun.security.provider.SHA2.lf_sigma1 4 9.12% 51.54% 734496 306226 sun.security.provider.SHA2.lf_delta0 5 9.10% 60.65% 734496 306223 sun.security.provider.SHA2.lf_delta1 6 6.91% 67.55% 2943168 306227 sun.security.provider.SHA2.lf_S 7 6.90% 74.45% 2943168 306230 sun.security.provider.SHA2.lf_S 8 3.47% 77.92% 1471584 306224 sun.security.provider.SHA2.lf_S 9 3.45% 81.37% 1471584 306221 sun.security.provider.SHA2.lf_S 10 2.30% 83.67% 979328 306229 sun.security.provider.SHA2.lf_ch 11 2.30% 85.97% 979328 306232 sun.security.provider.SHA2.lf_maj 12 1.73% 87.70% 735792 306225 sun.security.provider.SHA2.lf_R 13 1.73% 89.43% 735792 306222 sun.security.provider.SHA2.lf_R 14 0.31% 89.73% 258 306262 sun.security.provider.SHA2.implCompress 15 0.20% 89.94% 16512 306260 sun.security.provider.SHA2.lf_sigma0 16 0.20% 90.14% 16512 306257 sun.security.provider.SHA2.lf_sigma1 17 0.15% 90.30% 12384 306255 sun.security.provider.SHA2.lf_delta0 18 0.15% 90.45% 12384 306252 sun.security.provider.SHA2.lf_delta1 19 0.14% 90.59% 14747 309590 java.lang.Character.digit 20 0.12% 90.71% 2203 309592 java.lang.Integer.parseInt 21 0.12% 90.83% 49536 306259 sun.security.provider.SHA2.lf_S 22 0.12% 90.94% 49536 306256 sun.security.provider.SHA2.lf_S 23 0.11% 91.06% 12352 303725 java.lang.Character.toLowerCase 24 0.11% 91.17% 11556 303697 java.lang.Character.toUpperCaseEx 25 0.09% 91.26% 15193 309589 java.lang.CharacterDataLatin1.digit 26 0.09% 91.34% 800 302730 java.util.jar.Attributes$Name.isValid
07-05-2014
I am surprised by the claim of JarVerifier.verifyPolicySigned. This seems like a pretty lightweight operation compared to everything else. Have we verified this as a problem yet?
02-04-2014
A test similar to the test in the description took around 3000 MS in a solaris sparc system (glisten.us.oracle.com), the number in different parts tooks like: In SSLContext.getInstance(String), GetInstance.getInstance() took 1720MS, in which SSLContextImpl.DefaultSSLContext() took around 530MS, in which getDefaultTrustManager 520MS GetInstance.getService() took 1200MS. SSLContext.createSSLEngine() took around 1250MS Per above data, the following resources impact the performance significantly: 1. the size of cacerts impact the load performance of default trust manager 2. the size of security providers impact the load performance of default providers 3. the size of enabled cipher suites impact the load performance of JSSE component Shall we use lazy-load of these resources?
29-10-2013