JSSE reference guide issue
raell at web.de
raell at web.de
Wed Mar 24 11:38:10 UTC 2021
Concerning the question:
>Also the note about TLS 1.3 in the same section isn't entirely clear
to me. What does it mean when the docs say "the contents of stateless
>tickets, in particular, the contents of a NewSessionTicket message,
>depend on the value of jdk.tls.server.enableSessionTicketExtension"?
In TLS 1.3, if stateless session resumption is in use (i.e.
jdk.tls.server.enableSessionTicketExtension=true) the NewSessionTicket message
includes all session information (in encrypted format). If session resumption is
stateful (i.e. jdk.tls.server.enableSessionTicketExtension=false), the
NewSessionTicket message just contains a key that is used by the server during session
resumption in order to access the session information from its session cache.
>why should I care?
The point is: In TLS 1.3 the resumption mode (stateful/stateless) can be configured
by the property jdk.tls.server.enableSessionTicketExtension (though there is no
SessionTicketExtension extension in TLS 1.3). But in JDK 14 or later,
there is usually no need to change the default (=stateless).
Regards,
Ralph
Gesendet: Freitag, 05. Februar 2021 um 08:42 Uhr
Von: "Daniel Jeliński" <djelinski1 at gmail.com>
An: security-dev at openjdk.java.net
Betreff: JSSE reference guide issue
Hi all,
What's the right spot to report documentation issues?
I've been reading the JSSE reference guide and noticed that in section
"Resuming Session Without Server-Side State"
(https://docs.oracle.com/en/java/javase/15/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-64D7EAF6-D2EE-4719-8616-25E2829CF810)
it says "This feature is not enabled by default", which appears to be
a leftover from Java 13.
Also the note about TLS 1.3 in the same section isn't entirely clear
to me. What does it mean when the docs say "the contents of stateless
tickets, in particular, the contents of a NewSessionTicket message,
depend on the value of jdk.tls.server.enableSessionTicketExtension"?
How exactly does the contents change and why should I care?
Regards,
Daniel
More information about the security-dev
mailing list