RFR: CSR for 8211018 Session Resumption without Server-Side State
Sean Mullan
sean.mullan at oracle.com
Thu May 23 18:16:09 UTC 2019
On 5/21/19 7:24 PM, Anthony Scarpino wrote:
> Hi All,
>
> Please review the CSR for the stateless Server Side
> https://bugs.openjdk.java.net/browse/JDK-8223922
Some initial comments/questions:
I think the scope should be "JDK" since you are adding new JDK-specific
system properties that users can set to change the behavior.
For previous system properties that enable extensions, we have used a
boolean property with the naming convention
"jdk.tls.client.enable<ExtensionName" (for example
"jdk.tls.client.enableStatusRequestExtension", so we should probably
stick to that convention and call it
"jdk.tls.client.enableSessionTicketExtension" (with value true/false).
I was wondering if you really need the jdk.tls.server.sessionCacheState
system property and if so, why the default is not "mixed". Shouldn't the
server decide to cache or not depending on whether the client sends the
SessionTicket Extension?
Thanks,
Sean
More information about the security-dev
mailing list