Stateless session resumption for TLS 1.3 with enableSessionTicketExtension?
raell at web.de
raell at web.de
Mon Dec 16 20:02:36 UTC 2019
Dear all,
in Java 13 the new System properties jdk.tls.client.enableSessionTicketExtension and jdk.tls.server.enableSessionTicketExtension were introduced. In TLS 1.2 and prior these properties support stateful session resumption according to RFC 5077.
In TLS 1.3, however, there is no SessionTicketExtension and it isn't clear from the description [1] what impact jdk.tls.server.enableSessionTicketExtension has in case of a TLS 1.3 connection.
Question 1: Does a Java server perform on a TLS 1.3 connection a stateless resp. stateful session resumption, if
jdk.tls.server.enableSessionTicketExtension is set to true resp. false?
Question 2: Does the content of the NewSessionTicket message in TLS 1.3 depend on the value of jdk.tls.server.enableSessionTicketExtension?
Question 2 has been shortly discussed on the mailing list [2], but I couldn't figure out what the final answer was.
[1]: https://bugs.openjdk.java.net/browse/JDK-8227105
[2]: http://mail.openjdk.java.net/pipermail/security-dev/2019-July/020358.html
Best regards,
Ralph
More information about the security-dev
mailing list