JDK-8334969 : SSLSocketOutputRecord is flushed too often
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 8
  • Priority: P4
  • Status: In Progress
  • Resolution: Unresolved
  • Submitted: 2024-06-25
  • Updated: 2024-12-19
Related Reports
Blocks :  
JDK-8334670 - SSLSocketOutputRecord buffer miscalculation
Description
noticed while reviewing JDK-8334670

We currently flush the SSLSocketOutputRecord (via hc.handshakeOutput.flush) after every handshake message. Flushing adds unnecessary overhead: record header, padding, MAC. If TCP_NODELAY is not enabled, it may additionally delay the transmission of subsequent messages.

We should only flush when necessary. Examples of places where flushing is necessary include: after Finished message, after ClientHello, after TLS 1.3 ServerHello / HelloRetryRequest, after TLS 1.2 ServerHelloDone. On the other hand, flushing is not necessary between Certificate and CertificateVerify, for example.
Comments
This was not as easy as initially thought, might require a I/O rewrite for SSLSocketOutputRecord. Untargeting for 24 for now, and dropping back to P4. The way SSLSocket's lower-level I/O was done is completely different than SSLEngine. I'm not sure how worthwhile a rewrite actually is for a bit of performance improvement. I'm looking to see if we can do something similar to what we did in SSLEngine (maybe some code reuse), or if there is another location we can make the change.
19-12-2024
Likely necessary to keep in: ClientHello Finished HelloRequest HelloVerifyRequest NewSessionTicket ServerHelloDone ServerHello (TLSv1.2 only) Should be able to pull from: CertificateMessage CertificateRequest CertificateStatus CertificateVerify DHClientKeyExchange/DHServerKeyExchange ECDHClientKeyExchange/ECDHServerKeyExchange EncryptedExtensions RSAClientKeyExchange/RSAServerKeyExchange ServerHello (TLSv1.3+, including TLS13HelloRetryRequest) Changes made/under test.
17-12-2024
Agree with submitter's comments, and should be a pretty straightforward fix. Pretty sure the flush calls can simply be removed from the individual output message writes when they are not needed. Will double check all locations where flush() is called for all versions of SSL/TLS.
11-12-2024
Not an issue with the SSLEngine, flushing is done differently there.
10-12-2024
This hid JDK-8334670, it's worth looking it, but is appropriately prioritized.
22-07-2024