RFR: 8357033: Reduce stateless session ticket size [v2]
Daniel Jeliński
djelinski at openjdk.org
Tue May 20 19:07:50 UTC 2025
On Tue, 20 May 2025 17:14:06 GMT, Artur Barashev <abarashev at openjdk.org> wrote:
>> src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java line 324:
>>
>>> 322: b = Record.getBytes8(buf);
>>> 323: if (b.length > 0) {
>>> 324: String alg = new String(b);
>>
>> Please remove the algorithm names from the session ticket. They were not used, and I don't see any reason to start using them now.
>
> Hm.. they are being specified everywhere else in SSL code. So I guess we should pass an empty string to `SecretKeySpec` constructor then?
Before this PR we used a hardcoded algorithm name "TlsMasterSecret" for both the PSK and the master secret. I think we can keep it.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/25310#discussion_r2098676859
More information about the security-dev
mailing list