Stateless session resumption for TLS 1.3 with enableSessionTicketExtension?

raell at web.de raell at web.de
Mon Dec 16 20:02:36 UTC 2019


Dear all,
 

in Java 13 the new System properties jdk.tls.client.enableSessionTicketExtension and jdk.tls.server.enableSessionTicketExtension were introduced. In TLS 1.2 and prior these properties support stateful session resumption according to RFC 5077.
 
In TLS 1.3, however, there is no SessionTicketExtension and it isn't clear from the description [1] what impact jdk.tls.server.enableSessionTicketExtension has in case of a TLS 1.3 connection. 
 
Question 1: Does a Java server perform on a TLS 1.3 connection a stateless resp. stateful session resumption, if 
jdk.tls.server.enableSessionTicketExtension is set to true resp. false? 
 
Question 2: Does the content of the NewSessionTicket message in TLS 1.3 depend on the value of jdk.tls.server.enableSessionTicketExtension? 
 
Question 2 has been shortly discussed on the mailing list [2], but I couldn't figure out what the final answer was. 
 
[1]: https://bugs.openjdk.java.net/browse/JDK-8227105
[2]: http://mail.openjdk.java.net/pipermail/security-dev/2019-July/020358.html
 
Best regards, 
 
Ralph 



More information about the security-dev mailing list