JSSE reference guide issue

Sean Mullan sean.mullan at oracle.com
Thu Mar 25 20:05:57 UTC 2021 

 > I've been reading the JSSE reference guide and noticed that in section
 > "Resuming Session Without Server-Side State"
 > 
(https://docs.oracle.com/en/java/javase/15/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-64D7EAF6-D2EE-4719-8616-25E2829CF810)
 > it says "This feature is not enabled by default", which appears to be
 > a leftover from Java 13.

That was fixed in the JDK 16 docs:

https://docs.oracle.com/en/java/javase/16/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-64D7EAF6-D2EE-4719-8616-25E2829CF810

I have forwarded your other suggestions for improvements to our docs writer.

Thanks,
Sean

On 3/24/21 7:38 AM, raell at web.de wrote:
> Concerning the question:
> 
>> Also the note about TLS 1.3 in the same section isn't entirely clear
> to me. What does it mean when the docs say "the contents of stateless
>> tickets, in particular, the contents of a NewSessionTicket message,
>> depend on the value of jdk.tls.server.enableSessionTicketExtension"?
> 
> In TLS 1.3, if stateless session resumption is in use (i.e.
> jdk.tls.server.enableSessionTicketExtension=true) the NewSessionTicket message
> includes all session information (in encrypted format). If session resumption is
> stateful (i.e. jdk.tls.server.enableSessionTicketExtension=false), the
> NewSessionTicket message just contains a key that is used by the server during session
> resumption in order to access the session information from its session cache.
> 
>> why should I care?
> 
> The point is: In TLS 1.3 the resumption mode (stateful/stateless) can be configured
> by the property jdk.tls.server.enableSessionTicketExtension (though there is no
> SessionTicketExtension extension in TLS 1.3). But in JDK 14 or later,
> there is usually no need to change the default (=stateless).
>   
> Regards,
> 
> Ralph
>   
>   
> 
> Gesendet: Freitag, 05. Februar 2021 um 08:42 Uhr
> Von: "Daniel Jeliński" <djelinski1 at gmail.com>
> An: security-dev at openjdk.java.net
> Betreff: JSSE reference guide issue
> Hi all,
> What's the right spot to report documentation issues?
> 
> I've been reading the JSSE reference guide and noticed that in section
> "Resuming Session Without Server-Side State"
> (https://docs.oracle.com/en/java/javase/15/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-64D7EAF6-D2EE-4719-8616-25E2829CF810)
> it says "This feature is not enabled by default", which appears to be
> a leftover from Java 13.
> 
> Also the note about TLS 1.3 in the same section isn't entirely clear
> to me. What does it mean when the docs say "the contents of stateless
> tickets, in particular, the contents of a NewSessionTicket message,
> depend on the value of jdk.tls.server.enableSessionTicketExtension"?
> How exactly does the contents change and why should I care?
> Regards,
> Daniel
>

More information about the security-dev mailing list