[RFR] 8229148: SSLSession.invalidate() does not invalidate stateless tickets
Xuelei Fan
xuelei.fan at oracle.com
Tue Jun 16 00:54:28 UTC 2020
I added myself as reviewer of the CSR.
Xuelei
On 6/15/2020 5:42 PM, Anthony Scarpino wrote:
> The specifications for TLS 1.3 (RFC 8446) and Stateless Resumption for
> TLS 1.2 (RFC 5077) does not define session invalidation. Additionally,
> RFC 5077 provides research that it is unnecessary. This change is to
> clarify that session invalidation method in the Java API, in
> javax.net.ssl.SSLSession.invalidate(), may not be supported in some
> circumstances.
>
> The CSR is: https://bugs.openjdk.java.net/browse/JDK-8243678
> The webrev is inline:
>
> src/java.base/share/classes/javax/net/ssl/SSLSession.java
> @@ -129,6 +129,12 @@
> * using this session can continue to use the session until the
> * connection is closed.
> *
> + * @apiNote
> + * This operation is optional as the implementation may not support
> + * session invalidation. This could occur with implementations of
> + * Stateless Resumption (RFC 5077) and/or TLS 1.3 (RFC 8446) which
> + * do not specify session invalidation.
> + *
> * @see #isValid()
> */
> public void invalidate();
More information about the security-dev
mailing list