RFR: 8298381: Improve handling of session tickets for multiple SSLContexts

Volker Simonis simonis at openjdk.org
Mon Dec 12 10:08:56 UTC 2022


On Sun, 11 Dec 2022 23:52:25 GMT, Sergey Bylokhov <serb at openjdk.org> wrote:

> > You're right, but that's actually an improvement compared to the initial implementation where cleanup/destroy wasn't synchronized at all :)
> > With regards to the missing synchronization of key usage and key destruction, I think this patch doesn't change the existing behavior because it wasn't synchronized before either.
> 
> I think behavior is changed, since the synchronization problem was hidden by generation of many keys. And if we start to use one key by many threads, we will need to carefully sync it, but if we just add synchronization per ssl contex we will make encode/decode methods single threaded per ssl context, which is unfortunate.

Not sure what you mean? Do you refer to the `SessionTicketSpec`s `encrypt()`/`decrypt()` methods?What do you mean by "*we make them single threaded per ssl context*"?

`encrypt()` will call `getCurrentKey()` which isn't synchronized. Only once an hour or so, when the current key has expired, `getCurrentKey()` will call `getNextKey()` which is synchronized on the ssl context. `decrypt()` only calls `getKey()` which is never synchronized. I can't see a problem here.

-------------

PR: https://git.openjdk.org/jdk/pull/11590


More information about the security-dev mailing list