RFR: 8298381: Improve handling of session tickets for multiple SSLContexts [v3]

Volker Simonis simonis at openjdk.org
Thu Dec 22 13:15:53 UTC 2022


On Wed, 21 Dec 2022 20:11:44 GMT, Xue-Lei Andrew Fan <xuelei at openjdk.org> wrote:

>> Volker Simonis has updated the pull request incrementally with one additional commit since the last revision:
>> 
>>   Optimized initialisation of currentKeyID and deletion of expired session keys as proposed by @schlosna
>
> src/java.base/share/classes/sun/security/ssl/SSLSessionContextImpl.java line 182:
> 
>> 180: 
>> 181:     // Package-private, used only from SSLContextImpl::engineInit() to initialie currentKeyID.
>> 182:     void initCurrentKeyID(int keyID) {
> 
> The ID will work as if it is unique in the context, granted with synchronization.  It may be not necessary to use secure number for it.   The ID could be assigned at constructor (see comment above, use number zero or the current time, etc.), and thus this method and the caller code could be removed, I think.

I'm not an expert in this area, but [RFC 5077 reccomends](https://www.rfc-editor.org/rfc/rfc5077#page-10) that the ID "*should be randomly generated to avoid collisions between servers*". What about initializing it to the `hashCode()` of the `SSLSessionContextImpl` object?

-------------

PR: https://git.openjdk.org/jdk/pull/11590



More information about the security-dev mailing list