RFR 8211018: Session Resumption without Server-Side State
Anthony Scarpino
anthony.scarpino at oracle.com
Tue Jun 4 16:46:21 UTC 2019
On 6/4/19 4:58 AM, sha.jiang at oracle.com wrote:
> Hi Tony,
> I have some minor comments on the test.
>
> ResumeChecksServer.java
> --------------------
> 57 static boolean clientCache = false, serverServerless = false;
> Should "serverServerless" be "serverStateless"?
>
> 86 if (st.compareToIgnoreCase("stateless") == 0) {
> 87 serverServerless = true;
> 88 }
> 89 st = System.getProperty("javax.net.ssl.sessionCacheClient",
> "cache");
> 90 if (st.compareToIgnoreCase("cache") == 0) {
> 91 clientCache = true;
> 92 }
> Could method String::equalsIgnoreCase be used in the condition statement?
Thanks.. That code is not used anymore, so I cleaned it all up.
>
> 125 if (secondSession.getCreationTime() > secondStartTime &&
> 126 !clientCache && !serverServerless) {
> 127 throw new RuntimeException("Session was not reused");
> 128 }
> If the session should be resumed via session ID, beside checking the
> creation time, would it be better to compare the session IDs for
> double-checking?
the client side in stateless mode sends no session id, as the spec
allows. So the session id has no more value.
Tony
>
> Best regards,
> John Jiang
>
> On 2019/6/4 08:42, Anthony Scarpino wrote:
>> I believe I updated all comments in the latest webrev.
>>
>> http://cr.openjdk.java.net/~ascarpino/stateless/webrev.02
>>
>> Tony
>>
>> On 5/16/19 2:30 PM, Anthony Scarpino wrote:
>>> I'm asking for a review of this rather large change to add support
>>> stateless tickets in the TLS 1.3 5077 RFC.
>>> https://bugs.openjdk.java.net/browse/JDK-8211018
>>
More information about the security-dev
mailing list