RFR: 8298381: Improve handling of session tickets for multiple SSLContexts

Volker Simonis simonis at openjdk.org
Fri Dec 23 11:56:58 UTC 2022 

On Thu, 22 Dec 2022 14:56:16 GMT, Volker Simonis <simonis at openjdk.org> wrote:

>>> The same example with the 1000 connections being opened alternatively on two different contexts will instead create 1000 `StatelessKey` instances:
>> 
>> That's obviously not the expected behaviors.  It is a good catch for the `static currentKeyID` issue.
>> 
>> What do you think to move `SSLContextImpl.keyHashMap` into `SSLSessionContextImpl`?  I would like to have SSLContextImpl focusing on configuration.
>
> Hi @XueleiFan, @ascarpino,
> 
> Thank you for your reviews and comments. I think I've addressed all of your suggestions in the latest version of the PR.
> 
> There's just one more thing I had to change. Now that I've moved all the logic to `SSLSessionContextImpl` I can't get a reference to `SSLContextImpl`s secure random instance any more when creating a new `StatelessKey`. For simplicity I've therefor decided to use the `KeyGenerator.init()` method which doesn't require an extra secure random instance. 
> 
> If you think that it is important that the `KeyGenerator` uses the same secure random instance like the corresponding `SSLContextImpl`, I can easily change `SSLSessionContextImpl::getKey()` to take a `SecureRandom` argument and pass `SSLContextImpl`s secure random instance down to  `SSLSessionContextImpl::getKey()` (and up to `StatelessKey::<init>`) when calling `getKey()` from `KeyState::getCurrentKey()`.
> 
> What do you think?

> @simonis, I don't think @XueleiFan and I are going to finish reviews by Friday. As Oracle has next week off, I suggest you update the copyrights to 2023 and we can integrate next year one all the comments have been resolved.

>From my understanding there hasn't been much left to resolve except using `HandshakeContext`s secure random for the key generation in `StatelessKey`  and some minor initialization improvements in `SSLSessionContextImpl` which I've just pushed both.

So if you'll find some time to approve the PR this year it'll be great. Otherwise, it will be easy to update the copyright years if that will be last issue :)

Thanks for your support and have a nice and peaceful end of year,
Volker

-------------

PR: https://git.openjdk.org/jdk/pull/11590

More information about the security-dev mailing list