RFR: CSR for 8211018 Session Resumption without Server-Side State
Anthony Scarpino
anthony.scarpino at oracle.com
Fri May 24 18:52:28 UTC 2019
On 5/24/19 6:44 AM, Xuelei Fan wrote:
> jdk.tls.server.sessionTicketTimeout:
> Could we use the SSLSessionContext.getSessionTimeout() value for ticket
> session timeout?
>
The property is meant to complement the API. getSessionTimeout() will
return the value of the property if it is set.
I think this is the best choice because we can't assume the servers
allow a user to change the timeout. For example in testing, if we don't
have a property, the test has to be hardcoded for particular times.
I thought using the same timeout for both the cache and the stateless
sessions made the most sense
> jdk.tls.server.statelessKeyTimeout:
> We may extend to use external key and key rotation to improve
> scalability. I was wondering, if it is possible to remove the property
> by using implicit key usage limit (as TLS 1.3 key usage limit,
> uncustomizable) rather than timeout?
--- cut-n-paste from the other thread---
The spec says the keys need to be rotated regularly. Of course
"regularly" is up for interpretation. If a usage limit is implemented
and the server is not frequently used, it's possible to have the same
key used for the entire span of the session timeout. I don't feel that
is often enough.
-----
>
> Thanks,
> Xuelei
>
>
> On 5/21/2019 4:24 PM, Anthony Scarpino wrote:
>> Hi All,
>>
>> Please review the CSR for the stateless Server Side
>> https://bugs.openjdk.java.net/browse/JDK-8223922
>>
>> thanks
>>
>> Tony
More information about the security-dev
mailing list