RFR: CSR for 8211018 Session Resumption without Server-Side State

Sean Mullan sean.mullan at oracle.com
Thu May 23 18:25:55 UTC 2019


On 5/23/19 2:16 PM, Sean Mullan wrote:

> I was wondering if you really need the jdk.tls.server.sessionCacheState 
> system property and if so, why the default is not "mixed". Shouldn't the 
> server decide to cache or not depending on whether the client sends the 
> SessionTicket Extension?

Actually, I see now that there may be valid reasons for not enabling 
this feature on the server side. So yes I now see that the property is 
useful, and the default setting of it not being on makes sense. I was 
wondering if this could be a true/false property though - do we really 
need the "stateless" setting?

--Sean


More information about the security-dev mailing list