RFR 8211018: Session Resumption without Server-Side State
sha.jiang at oracle.com
sha.jiang at oracle.com
Wed Jun 5 01:27:51 UTC 2019
Hi Tony,
On 2019/6/5 00:46, Anthony Scarpino wrote:
>>
>> 125 if (secondSession.getCreationTime() > secondStartTime &&
>> 126 !clientCache && !serverServerless) {
>> 127 throw new RuntimeException("Session was not
>> reused");
>> 128 }
>> If the session should be resumed via session ID, beside checking the
>> creation time, would it be better to compare the session IDs for
>> double-checking?
>
> the client side in stateless mode sends no session id, as the spec
> allows. So the session id has no more value.
If either peer doesn't enable the session ticket extension, the session
would be resumed via old cache way, but not RFC 5077.
For this case, I suppose it would be better to check the session IDs
between two connections.
This checking indicates the session MAY not be resumed via RFC 5077 and
the new properties should work as expected.
Best regards,
John Jiang
More information about the security-dev
mailing list