JSSE reference guide issue

raell at web.de raell at web.de
Wed Mar 24 11:38:10 UTC 2021 

Concerning the question: 

>Also the note about TLS 1.3 in the same section isn't entirely clear
to me. What does it mean when the docs say "the contents of stateless
>tickets, in particular, the contents of a NewSessionTicket message,
>depend on the value of jdk.tls.server.enableSessionTicketExtension"?

In TLS 1.3, if stateless session resumption is in use (i.e. 
jdk.tls.server.enableSessionTicketExtension=true) the NewSessionTicket message 
includes all session information (in encrypted format). If session resumption is 
stateful (i.e. jdk.tls.server.enableSessionTicketExtension=false), the 
NewSessionTicket message just contains a key that is used by the server during session 
resumption in order to access the session information from its session cache. 

>why should I care?

The point is: In TLS 1.3 the resumption mode (stateful/stateless) can be configured 
by the property jdk.tls.server.enableSessionTicketExtension (though there is no 
SessionTicketExtension extension in TLS 1.3). But in JDK 14 or later, 
there is usually no need to change the default (=stateless).
 
Regards, 

Ralph 
 
 

Gesendet: Freitag, 05. Februar 2021 um 08:42 Uhr
Von: "Daniel Jeliński" <djelinski1 at gmail.com>
An: security-dev at openjdk.java.net
Betreff: JSSE reference guide issue
Hi all,
What's the right spot to report documentation issues?

I've been reading the JSSE reference guide and noticed that in section
"Resuming Session Without Server-Side State"
(https://docs.oracle.com/en/java/javase/15/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-64D7EAF6-D2EE-4719-8616-25E2829CF810)
it says "This feature is not enabled by default", which appears to be
a leftover from Java 13.

Also the note about TLS 1.3 in the same section isn't entirely clear
to me. What does it mean when the docs say "the contents of stateless
tickets, in particular, the contents of a NewSessionTicket message,
depend on the value of jdk.tls.server.enableSessionTicketExtension"?
How exactly does the contents change and why should I care?
Regards,
Daniel

More information about the security-dev mailing list