RFR: CSR for 8211018 Session Resumption without Server-Side State
Anthony Scarpino
anthony.scarpino at oracle.com
Thu May 23 18:39:49 UTC 2019
I stayed away from a boolean value in case some day another option came
around. "stateless" I don't see an often used option, but maybe someone
wants to keep no cache for memory reasons. I didn't want to eliminate
that options by using a boolean value.
As far as defaults. Today it would be default "cache" and if all goes
well maybe 14 it can be switch to "mixed"
Tony
On 5/23/19 11:25 AM, Sean Mullan wrote:
> On 5/23/19 2:16 PM, Sean Mullan wrote:
>
>> I was wondering if you really need the
>> jdk.tls.server.sessionCacheState system property and if so, why the
>> default is not "mixed". Shouldn't the server decide to cache or not
>> depending on whether the client sends the SessionTicket Extension?
>
> Actually, I see now that there may be valid reasons for not enabling
> this feature on the server side. So yes I now see that the property is
> useful, and the default setting of it not being on makes sense. I was
> wondering if this could be a true/false property though - do we really
> need the "stateless" setting?
>
> --Sean
More information about the security-dev
mailing list