RFR: 8357033: Reduce stateless session ticket size [v11]
Daniel Jeliński
djelinski at openjdk.org
Fri May 23 18:00:54 UTC 2025
On Fri, 23 May 2025 15:54:59 GMT, Artur Barashev <abarashev at openjdk.org> wrote:
>> test/jdk/sun/security/ssl/SSLSessionImpl/ResumeChecksServer.java line 227:
>>
>>> 225: // algorithm to constraints so local certificates
>>> 226: // can't be restored from the session ticket.
>>> 227: params.setAlgorithmConstraints(
>>
>> Isn't this a repeat of the SIGNATURE_SCHEME test above?
>
> Hi Daniel!
>
> 1. You can see that I've modified `ResumeChecksServer` SIGNATURE_SCHEME case to block signature scheme names specifically, not algorithm names like before. This test case was created for [this check](https://github.com/openjdk/jdk/blob/48df41b6997cfe2c8aa3bc46ea25eff01f615d31/src/java.base/share/classes/sun/security/ssl/PreSharedKeyExtension.java#L468) which was done as part of [JDK-8206929](https://bugs.openjdk.org/browse/JDK-8206929) and that's the reason I've kept `localSupportedSignAlgs` in the session ticket.
> 2. About LOCAL_CERTS case I've added: it blocks initial session's certificate signature algorithm specifically so it's not returned with the new possession when we restore the session. You can comment out all the other cases from ResumeChecksServerStateless.java and run just LOCAL_CERTS case with `-Djavax.net.debug=ssl` option and observe `Local certificates can not be restored` message in the logs. I also ran this test under debugger to confirm things.
Thanks for the explanation!
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/25310#discussion_r2105178575
More information about the security-dev
mailing list