Discard or clamp ticket lifetime?
Anthony Scarpino
anthony.scarpino at oracle.com
Mon Jun 30 21:51:53 UTC 2025
Hi Bernd,
This likely occurred when stateless ticket handling was introduced in jdk 13.
For your customer situation, disabling stateless ticket by setting the system
property "jdk.tls.client.enableSessionTicketExtension" to false may cause the
server to store the session and allow resumption to operate like jdk 11.
The TLS 1.2 ticket handling should be better about receiving a hint greater
than the max, instead of just rejecting it. I don't think the client should
be storing the ticket for MAX_INT, but storing it for the max of 7 days would
be fine with me. JDK-8361108.
Thanks,
Tony
On 6/30/25 7:45 AM, Bernd Eckenfels wrote:
> This OpenSSL Ticket describes the same MAX_INT liferime problem, and they Seen to use clamping as well.
> I think the change and the exakt condition is different (since it is a TLS1.3 issue for them), but the Observation that vsftpd is causing this, will allow us to reproduce it. (I may report it to vsftpd as well).
>
> https://github.com/openssl/openssl/issues/17948
>
> Gruß
> Bernd
>
> Bernd Eckenfels wrote on 29. June 2025 15:27 (GMT +02:00):
>> We deal with a regression in JSSE regarding resumption tickets with high
>> lifetime.
>> In older versions with Java 11 the customer claimed a FTP Server was
>> reachable, with Java 21 the connections are rejected.
> …
More information about the security-dev
mailing list