RFR: CSR for 8211018 Session Resumption without Server-Side State
Sean Mullan
sean.mullan at oracle.com
Thu May 23 18:25:55 UTC 2019
On 5/23/19 2:16 PM, Sean Mullan wrote:
> I was wondering if you really need the jdk.tls.server.sessionCacheState
> system property and if so, why the default is not "mixed". Shouldn't the
> server decide to cache or not depending on whether the client sends the
> SessionTicket Extension?
Actually, I see now that there may be valid reasons for not enabling
this feature on the server side. So yes I now see that the property is
useful, and the default setting of it not being on makes sense. I was
wondering if this could be a true/false property though - do we really
need the "stateless" setting?
--Sean
More information about the security-dev
mailing list