bc-java icon indicating copy to clipboard operation
bc-java copied to clipboard

Published 20 hours ago verified publisher icon bcgit

BCRSAPublicKey creation is slow, causing io.netty.handler.ssl.SslHandshakeTimeoutException

Open niklas-sparfeld-gcx opened this issue 2 years ago • 3 comments

Hi! 👋

We have a Spring Boot application which loads an Azure Storage Blob via Spring Cloud Azure.

In the same application we use the BouncyCastle security provider.

Under the hood a netty request to Azure's HTTP API is performed.

When the first request TLS handshake is performed, during consumption of the Server Hello, netty's SSLEngine gets an instance of PKIXValidator.

In PKIXValidator.setTrustedObjects() my system's 154 known certificates are loaded, during which X509CertificateImpl.getPublicKey() of BouncyCastle is called.

And the construction of those public keys is very slow, because it performs the Primes.enhancedMRProbablePrimeTest(...).

When the BC provider is not installed, the HTTP request is performed instantaneously.

Questions: Is this "as designed"?

Or: Should BC and netty work together, or should I look into configuring netty so that it does not pick up the BC implementation?

Screenshot 2023-10-02 at 11 16 31

I'll create a netty issue as well. Maybe the solution is in their control 🤷

https://github.com/netty/netty/issues/13645

niklas-sparfeld-gcx avatar Oct 02 '23 09:10 niklas-sparfeld-gcx

It's not immediately obvious, but check the situation with /dev/random - RSA key validation and generation relies on secure random number generation. The system may be running out of entropy,

dghgit avatar Oct 04 '23 10:10 dghgit

Thanks for the answer. AFAICT this is not it.

I played around with java.security.egd as well as securerandom.strongAlgorithms (via https://github.com/eclipse-californium/californium/blob/4efe9cee48eb62100b64a6dab5f52c1f60b13755/element-connector/src/main/java/org/eclipse/californium/elements/util/JceProviderUtil.java#L272) and couldn't lower the time it takes netty to load the certs.

I'm now looking into making Californium to use BouncyCastle while netty keeps using the system Security providers.

niklas-sparfeld-gcx avatar Oct 05 '23 15:10 niklas-sparfeld-gcx

For what it's worth, the provided dump definitely shows things are stalling in RSA public key validation. Try setting "org.bouncycastle.rsa.max_mr_tests" to 1 (it's probably about 3 at the moment, it can be set to 0 although if you do that you will have disabled the MR tests totally).

dghgit avatar Oct 06 '23 01:10 dghgit