RFR: 8328608: Multiple NewSessionTicket support for TLS

John Jiang jjiang at openjdk.org
Tue Jun 18 08:21:22 UTC 2024 

On Wed, 29 May 2024 18:53:55 GMT, Anthony Scarpino <ascarpino at openjdk.org> wrote:

> Hi
> 
> This change is to improve TLS 1.3 session resumption by allowing a TLS server to send more than one resumption ticket per connection and clients to store more.  Resumption is a quick way to use an existing TLS session to establish another session by avoiding the long TLS full handshake process.  In TLS 1.2 and below, clients can repeatedly resume a session by using the session ID from an established connection.  In TLS 1.3, a one-time "resumption ticket" is sent by the server after the TLS connection has been established.  The server may send multiple resumption tickets to help clients that rapidly resume connections.  If the client does not have another resumption ticket, it must go through the full TLS handshake again.  The current implementation in JDK 23 and below, only sends and store one resumption ticket.
> 
> The number of resumption tickets a server can send should be configurable by the application developer or administrator. [RFC 8446](https://www.rfc-editor.org/rfc/rfc8446) does not specify a default value.  A system property called `jdk.tls.server.newSessionTicketCount` allows the user to change the number of resumption tickets sent by the server.  If this property is not set or given an invalid value, the default value of 3 is used. Further details are in the CSR.
> 
> A large portion of the changeset is on the client side by changing the caching system used by TLS.  It creates a new `CacheEntry<>` type called `QueueCacheEntry<>` that will store multiple values for a Map entry.

src/java.base/share/classes/sun/security/ssl/NewSessionTicket.java line 369:

> 367:                 if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
> 368:                     SSLLogger.fine("No session ticket produced: " +
> 369:                             "session timeout");

Here `session timeout` may be confused.
It looks indicate the session has timed out.

`T12NewSessionTicketProducer::produce` uses `Session timeout is too long. No ticket sent`.
Could this log also use these wordings?

src/java.base/share/classes/sun/security/util/Cache.java line 310:

> 308:      * method.
> 309:      */
> 310: 

Could this blank line be removed?

src/java.base/share/classes/sun/security/util/Cache.java line 340:

> 338:             }
> 339:         }
> 340: 

Could this blank line be removed?

src/java.base/share/classes/sun/security/util/Cache.java line 353:

> 351:      * Scan all entries and remove all expired ones.
> 352:      */
> 353: 

Could this blank line be removed?

test/jdk/sun/security/ssl/SSLSessionImpl/MultiNSTClient.java line 34:

> 32:  * @run main/othervm MultiNSTClient -Djdk.tls.client.protocols=TLSv1.3 -Djdk.tls.server.enableSessionTicketExtension=false -Djdk.tls.client.enableSessionTicketExtension=false
> 33:  * @run main/othervm MultiNSTClient -Djdk.tls.client.protocols=TLSv1.2 -Djdk.tls.server.enableSessionTicketExtension=true -Djdk.tls.client.enableSessionTicketExtension=true
> 34:  * @summary Verifies multiple session tickets are PSKs are used by JSSE

Typically the`@run` lines should be the last part.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/19465#discussion_r1643986123
PR Review Comment: https://git.openjdk.org/jdk/pull/19465#discussion_r1643988261
PR Review Comment: https://git.openjdk.org/jdk/pull/19465#discussion_r1643988678
PR Review Comment: https://git.openjdk.org/jdk/pull/19465#discussion_r1643988984
PR Review Comment: https://git.openjdk.org/jdk/pull/19465#discussion_r1644028812

More information about the security-dev mailing list