Java SSL provider with AES-NI support

Question

Is there Java security provider which can handle SSL connections and does support AES-NI instructions?

I have tried to use SunPKCS11 with Mozilla NSS, but it doesn't work for SSL connections that use AES encryption. According to Java PKCS#11 Reference Guide, this provider doesn't support SSLContext.* "algorithms" :-(

Answer 1

There is some recent activity in Dec 2012 on openjdk to support AES-NI on x86. See JEPS-164

This merge in Dec 2012 to jdk8 is discussed here includes assembly code changes to support AES-NI. From the discussion it looks like the change might be back ported to jdk7u12.

The IBM JCE for Java V7 in Nov 2012 includes support for AES-NI.

If one of these new JRE's is used, your java SSL/TLS implementation should be taking advantage of AES-NI without using a PKCS11 provider.

You could check your BIOS to see if AES-NI can be enabled/disabled. If it can then you could run a micro-benchmark of AES encrypt/decrypt to see what the difference is.

Answer 2

I believe that I have found the answer to my question.

First of all, I'm mixing "providers" for two different libraries: JCE (implementations of crypto algorithms) and JSSE (support for secure sockets).

According to JavaTM Secure Socket Extension (JSSE) Reference Guide, section JCE and Hardware Acceleration/Smartcard Support, default JSSE provider (SunJSSE) uses JCE for all crypto operations.

JCE can be configured to use hardware-accelerated AES e.g. by using SunPKCS11 + mozilla-nss library, as documented for example in this answer.

What remains to be done (in my case), is to make sure that SSL is configured with proper ciphers, and to verify that SunPKCS11 is actually used by ssl connections.