RFR: CSR for 8211018 Session Resumption without Server-Side State

Xuelei Fan xuelei.fan at oracle.com
Fri May 24 13:44:55 UTC 2019

Could we use the SSLSessionContext.getSessionTimeout() value for ticket 
session timeout?

We may extend to use external key and key rotation to improve 
scalability.  I was wondering, if it is possible to remove the property 
by using implicit key usage limit (as TLS 1.3 key usage limit, 
uncustomizable) rather than timeout?


On 5/21/2019 4:24 PM, Anthony Scarpino wrote:
> Hi All,
> Please review the CSR for the stateless Server Side 
> https://bugs.openjdk.java.net/browse/JDK-8223922
> thanks
> Tony

More information about the security-dev mailing list