Disable new session tickets sent during successful session resumption?

[Raveena Kushwah]

Hi All

          This is first time that I'm asking a question here, please let me
know if any other details required.

We are having an application which sents a request to tomcat server using
https. With tls1. 2 protocol being used, session tickets are supported at
client end, server is tomcat which internally uses JSSE and we are using
jdk 17.

During first handshake, it's observed that handshake is successful with new
session ticket being sent by server at end of handshake.

The client stores the session ticket and sends it back to the server in the
client Hello which is accepted by server and with debugging it's confirmed
that the session is valid and moving ahead for resumption.

This is further confirmed with server replying back with same session id in
serverHello message which client has sended in clientHello message.

but observed that new session ticket is sent back to client in next step.

Post referring to RFC 5077, it was cleared that post successful session
resumption, server may send new session ticket for more security (sent with
tomcat server using JSSE everytime during session resumption) .

I would like to ask if there is a way to disable this and only get session
ticket once with first handshake (or if session expired, invalid..) and not
when session validation is successful but still session ticket is being
sent during session resumption?

Would be great if this question could be answered as this would help us a
lot with fixing our application issue 😊

Regards
Raveena
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20250624/367a295d/attachment-0001.htm>