JSSE: SSLEngine reporting HandshakeStatus.FINISHED, disabling NewSessionTicket

[Ben Smyth]

TL;DR: Why does a client report HandshakeStatus.FINISHED twice? Can
production of NewSessionTicket be disabled?


A client (respectively server) becomes ready to encrypt application data
upon completing their side of handshaking: "Once a side has sent its
Finished message and has received and validated the Finished message from
its peer, it may begin to send and receive Application Data over the
connection" (RFC8446); a client completes handshaking upon wrapping a
FINISHED message and a server completes upon unwrapping such a message.
(There's an exception for 0-RTT data, and another for a server operating
with reduced security.)

Javadoc advises HandshakeStatus.FINISHED is reported when "a call to
SSLEngine.wrap() / unwrap() ... finishes a handshake." As expected,

* OpenJDK SSLEngine.wrap() reports HandshakeStatus.FINISHED on wrapping a
client's (TLS) FINISHED message.

By comparison, rather than report (server) handshake completion upon
unwrapping a client's (TLS) FINISHED message, HandshakeStatus.NEED_WRAP is
reported, a NewSessionTicket is produced on wrapping and

* OpenJDK SSLEngine.wrap() reports HandshakeStatus.FINISHED on wrapping a
server's (TLS) NewSessionTicket message.

Upon receipt of which,

* OpenJDK SSLEngine.unwrap() reports HandshakeStatus.FINISHED on unwrapping
a server's (TLS) NewSessionTicket message.

What does finishing a handshake mean in SSLEngine parlance? (I don't
understand why a client should report finishing twice.) Can production of
NewSessionTicket be disabled?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20220524/bd534297/attachment.htm>