[RFR] 8229148: SSLSession.invalidate() does not invalidate stateless tickets

Anthony Scarpino anthony.scarpino at oracle.com
Tue Jun 16 04:32:41 UTC 2020 

Hi,

That's an interesting idea.  I don't think a method in SSLSession would 
be the right place for such a method, maybe SSLContext given it's a 
server side operation affecting many sessions.  If we do enhance the API 
for stateless operations, that would be a reasonable addition.

Thanks for the input

Tony

On 6/15/20 6:43 PM, Bernd Eckenfels wrote:
> Hello,
> 
> The change seems reasonable, but should there maybe a method to refresh 
> temporary keys used for those session tokens - I.e. "invalidate all" and 
> link to that so specific implementations are encourages to offer such an 
> API.
> 
> Gruss
> Bernd
> -- 
> http://bernd.eckenfels.net
> ------------------------------------------------------------------------
> *Von:* security-dev <security-dev-bounces at openjdk.java.net> im Auftrag 
> von Anthony Scarpino <anthony.scarpino at oracle.com>
> *Gesendet:* Tuesday, June 16, 2020 2:42:32 AM
> *An:* OpenJDK Security <security-dev at openjdk.java.net>
> *Betreff:* Re: [RFR] 8229148: SSLSession.invalidate() does not 
> invalidate stateless tickets
> The specifications for TLS 1.3 (RFC 8446) and Stateless Resumption for
> TLS 1.2 (RFC 5077) does not define session invalidation. Additionally,
> RFC 5077 provides research that it is unnecessary. This change is to
> clarify that session invalidation method in the Java API, in
> javax.net.ssl.SSLSession.invalidate(), may not be supported in some
> circumstances.
> 
> The CSR is: https://bugs.openjdk.java.net/browse/JDK-8243678
> The webrev is inline:
> 
> src/java.base/share/classes/javax/net/ssl/SSLSession.java
> @@ -129,6 +129,12 @@
>         * using this session can continue to use the session until the
>         * connection is closed.
>         *
> +     * @apiNote
> +     * This operation is optional as the implementation may not support
> +     * session invalidation.  This could occur with implementations of
> +     * Stateless Resumption (RFC 5077) and/or TLS 1.3 (RFC 8446) which
> +     * do not specify session invalidation.
> +     *
>         * @see #isValid()
>         */
>        public void invalidate();

More information about the security-dev mailing list