Request for comment, a new idea about distributed TLS sessions
Xuelei Fan
xuelei.fan at oracle.com
Fri Oct 23 15:47:47 UTC 2020
Hi,
The JEP was updated so that it has a better presentation.
https://bugs.openjdk.java.net/browse/JDK-8245551
The goals now is described in a higher level, and some of the details
are moved to the Description section. Any comments are welcome. Please
let me know by end of this month, October 31, 2020.
BTW, I will post a new thread about the algorithm used for the session
ticket protection and synchronization in the cluster.
Thanks,
Xuelei
On 9/29/2020 9:25 PM, Xuelei Fan wrote:
> Hi,
>
> I was wondering to improve the scalability of the TLS implementation in
> JDK. TLS session resumption is much faster than full handshaking. It
> may be a good to support efficiently distributing and resuming TLS
> sessions across clusters of computers, by using stateless TLS session
> tickets.
>
> The following is a list of the goals:
> 1. Use session tickets to distribute and resume sessions.
>
> 2. Implement a protection scheme for session tickets.
>
> 3. Deprecate or modify Java SE APIs that negatively impact distributed
> session resumption.
>
> 4. Ensure that the session tickets generated and protected in one server
> node can be used for session resumption in other nodes in the
> distributed system.
>
> 5. Ensure that the secret keys used to protect the session ticket can be
> rotated and synchronized effectively.
>
> 6. Ensure that a new server node inserted into the distributed system
> can be automatically synchronized, thus making it possible to plugin new
> server nodes as needed.
>
> For more details, please refer to the draft JEP.
>
> https://bugs.openjdk.java.net/browse/JDK-8245551
>
> Does it sound like a good idea? Did you run into scalability problems
> for TLS/HTTPS connections? Any suggestions? Any comments are welcome.
>
> Thanks & Regards,
> Xuelei
More information about the security-dev
mailing list