Request for comment, a new idea about distributed TLS sessions
Xuelei Fan
xuelei.fan at oracle.com
Wed Sep 30 04:25:41 UTC 2020
Hi,
I was wondering to improve the scalability of the TLS implementation in
JDK. TLS session resumption is much faster than full handshaking. It
may be a good to support efficiently distributing and resuming TLS
sessions across clusters of computers, by using stateless TLS session
tickets.
The following is a list of the goals:
1. Use session tickets to distribute and resume sessions.
2. Implement a protection scheme for session tickets.
3. Deprecate or modify Java SE APIs that negatively impact distributed
session resumption.
4. Ensure that the session tickets generated and protected in one server
node can be used for session resumption in other nodes in the
distributed system.
5. Ensure that the secret keys used to protect the session ticket can be
rotated and synchronized effectively.
6. Ensure that a new server node inserted into the distributed system
can be automatically synchronized, thus making it possible to plugin new
server nodes as needed.
For more details, please refer to the draft JEP.
https://bugs.openjdk.java.net/browse/JDK-8245551
Does it sound like a good idea? Did you run into scalability problems
for TLS/HTTPS connections? Any suggestions? Any comments are welcome.
Thanks & Regards,
Xuelei
More information about the security-dev
mailing list