JSSE: SSLEngine reporting HandshakeStatus.FINISHED, disabling NewSessionTicket

[Ben Smyth]

On Tue, 24 May 2022 at 17:20, Ben Smyth wrote:

> Javadoc advises HandshakeStatus.FINISHED is reported when "a call to
> SSLEngine.wrap() / unwrap() ... finishes a handshake." As expected,
>
> * OpenJDK SSLEngine.wrap() reports HandshakeStatus.FINISHED on wrapping a
> client's (TLS) FINISHED message.
>
> By comparison, rather than report (server) handshake completion upon
> unwrapping a client's (TLS) FINISHED message,
>

Actually, (server) handshake completion *is* reported upon unwrapping a
client's FINISHED message, *but* only when the client's ClientHello message
omits extension psk_key_exchange_modes.


> Can production of NewSessionTicket be disabled?
>

Omitting extension psk_key_exchange_modes suppresses NewSessionTicket
production, but it doesn't seem possible to disable extension
psk_key_exchange_modes for OpenJDK ClientHello messages.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20220622/1e5b21d0/attachment.htm>