Stateless session resumption for TLS 1.3 with enableSessionTicketExtension?

Anthony Scarpino anthony.scarpino at oracle.com
Mon Dec 16 23:20:07 UTC 2019


On 12/16/19 12:02 PM, raell at web.de wrote:
> 
> Dear all,
>   
> 
> in Java 13 the new System properties jdk.tls.client.enableSessionTicketExtension and jdk.tls.server.enableSessionTicketExtension were introduced. In TLS 1.2 and prior these properties support stateful session resumption according to RFC 5077.
>   
> In TLS 1.3, however, there is no SessionTicketExtension and it isn't clear from the description [1] what impact jdk.tls.server.enableSessionTicketExtension has in case of a TLS 1.3 connection.
>   
> Question 1: Does a Java server perform on a TLS 1.3 connection a stateless resp. stateful session resumption, if
> jdk.tls.server.enableSessionTicketExtension is set to true resp. false?

Yes

>   
> Question 2: Does the content of the NewSessionTicket message in TLS 1.3 depend on the value of jdk.tls.server.enableSessionTicketExtension?

Yes


Tony

>   
> Question 2 has been shortly discussed on the mailing list [2], but I couldn't figure out what the final answer was.
>   
> [1]: https://bugs.openjdk.java.net/browse/JDK-8227105
> [2]: http://mail.openjdk.java.net/pipermail/security-dev/2019-July/020358.html
>   
> Best regards,
>   
> Ralph
> 



More information about the security-dev mailing list