Interesting in TLS Ticket Requests
xueleifan(XueleiFan)
xueleifan at tencent.com
Mon May 2 15:31:50 UTC 2022
Hi,
A new standard, RFC 9149 TLS Ticket Requests, was published on April 2022. Is anyone interested in have it implemented in JDK?
As described in RFC 8446/TLS 1.3, TLS servers vend clients an arbitrary number of session tickets for session resumption. However, the number may be not what clients desired. For security reason, session ticket can be used only one time. If the client desired number and server supplied number does not match, the performance impact could be significant.
Currently, in JDK, the server vends only one session ticket for each handshaking. However, clients can open parallel TLS connections to the same server for HTTP, or they can race TLS connections across different network interfaces. In such circumstances, one session ticket is hardly to be good for TLS connections performance. But, without an explicit desired number requested from the client, it is hard to know what is the best number of session tickets that the server should vend to clients. The issues could be addressed with RFC 9149, TLS Ticket Requests.
Are you interested to have the TLS Ticket Requests feature in JDK? Please let me know your ideas and concerns.
Thanks,
Xuelei
More information about the security-dev
mailing list