RFR 8211018: Session Resumption without Server-Side State

sha.jiang at oracle.com sha.jiang at oracle.com
Wed Jun 5 01:27:51 UTC 2019


Hi Tony,

On 2019/6/5 00:46, Anthony Scarpino wrote:
>>
>> 125             if (secondSession.getCreationTime() > secondStartTime &&
>> 126                     !clientCache && !serverServerless) {
>> 127                 throw new RuntimeException("Session was not 
>> reused");
>> 128             }
>> If the session should be resumed via session ID, beside checking the 
>> creation time, would it be better to compare the session IDs for 
>> double-checking?
>
> the client side in stateless mode sends no session id, as the spec 
> allows.  So the session id has no more value.
If either peer doesn't enable the session ticket extension, the session 
would be resumed via old cache way, but not RFC 5077.
For this case, I suppose it would be better to check the session IDs 
between two connections.
This checking indicates the session MAY not be resumed via RFC 5077 and 
the new properties should work as expected.

Best regards,
John Jiang


More information about the security-dev mailing list