[RFR] 8229148: SSLSession.invalidate() does not invalidate stateless tickets

Anthony Scarpino anthony.scarpino at oracle.com
Tue Jun 16 00:42:32 UTC 2020


The specifications for TLS 1.3 (RFC 8446) and Stateless Resumption for 
TLS 1.2 (RFC 5077) does not define session invalidation. Additionally, 
RFC 5077 provides research that it is unnecessary. This change is to 
clarify that session invalidation method in the Java API, in 
javax.net.ssl.SSLSession.invalidate(), may not be supported in some 
circumstances.

The CSR is: https://bugs.openjdk.java.net/browse/JDK-8243678
The webrev is inline:

src/java.base/share/classes/javax/net/ssl/SSLSession.java
@@ -129,6 +129,12 @@
       * using this session can continue to use the session until the
       * connection is closed.
       *
+     * @apiNote
+     * This operation is optional as the implementation may not support
+     * session invalidation.  This could occur with implementations of
+     * Stateless Resumption (RFC 5077) and/or TLS 1.3 (RFC 8446) which
+     * do not specify session invalidation.
+     *
       * @see #isValid()
       */
      public void invalidate();



More information about the security-dev mailing list