Request for comment, a new idea about distributed TLS sessions

Xuelei Fan xuelei.fan at oracle.com
Fri Oct 23 15:47:47 UTC 2020


Hi,

The JEP was updated so that it has a better presentation.

     https://bugs.openjdk.java.net/browse/JDK-8245551

The goals now is described in a higher level, and some of the details 
are moved to the Description section.  Any comments are welcome.  Please 
let me know by end of this month, October 31, 2020.

BTW, I will post a new thread about the algorithm used for the session 
ticket protection and synchronization in the cluster.

Thanks,
Xuelei


On 9/29/2020 9:25 PM, Xuelei Fan wrote:
> Hi,
> 
> I was wondering to improve the scalability of the TLS implementation in 
> JDK.  TLS session resumption is much faster than full handshaking.  It 
> may be a good to support efficiently distributing and resuming TLS 
> sessions across clusters of computers, by using stateless TLS session 
> tickets.
> 
> The following is a list of the goals:
> 1. Use session tickets to distribute and resume sessions.
> 
> 2. Implement a protection scheme for session tickets.
> 
> 3. Deprecate or modify Java SE APIs that negatively impact distributed 
> session resumption.
> 
> 4. Ensure that the session tickets generated and protected in one server 
> node can be used for session resumption in other nodes in the 
> distributed system.
> 
> 5. Ensure that the secret keys used to protect the session ticket can be 
> rotated and synchronized effectively.
> 
> 6. Ensure that a new server node inserted into the distributed system 
> can be automatically synchronized, thus making it possible to plugin new 
> server nodes as needed.
> 
> For more details, please refer to the draft JEP.
> 
>      https://bugs.openjdk.java.net/browse/JDK-8245551
> 
> Does it sound like a good idea?  Did you run into scalability problems 
> for TLS/HTTPS connections?  Any suggestions?  Any comments are welcome.
> 
> Thanks & Regards,
> Xuelei



More information about the security-dev mailing list