RFR: 8357033: Reduce stateless session ticket size [v13]
Bradford Wetmore
wetmore at openjdk.org
Thu May 29 00:47:54 UTC 2025
On Tue, 27 May 2025 14:00:07 GMT, Artur Barashev <abarashev at openjdk.org> wrote:
>> The stateless session ticket is included in the ClientHello message, either in the stateless_ticket extension (pre-TLS1.3), or in the pre_shared_key extension (TLS1.3). With the current construction, the ticket is often the largest contributor to the ClientHello message size. For example, in HttpClient tests we observed a case where a non-resumption ClientHello occupied 360 bytes, and the session ticket (pre_shared_key identity) included in a resumption ClientHello occupied 1600+ bytes.
>>
>> ClientHello messages that do not fit in a single packet on the network can greatly increase the handshake time on lossy networks. Ideally we would like the ClientHello message to always fit in a single packet.
>>
>> When using QUIC as the underlying protocol, one packet can hold approximately 1100 byte payload. Getting the session ticket size below 700 bytes should be sufficient to make the ClientHello fit in a single packet
>>
>> Things done in this PR to reduce the ticket size in order of importance:
>>
>> 1. Remove local certificates.
>> 2. Compress tickets with the size 600 bytes or larger.
>> 3. Remove `peerSupportedSignAlgs`.
>> 4. Remove `pskIdentity`
>> 5. PreSharedKey is only needed by TLSv1.3, masterSecret is only needed by pre-TLSv1.3
>> 6. Remove `statusResponses`
>>
>> Tickets with a chain of 2 RSA peer certificates are still above 700 bytes (about 1KB), but they are significantly reduced from prior size of about 3KB.
>
> Artur Barashev has updated the pull request incrementally with one additional commit since the last revision:
>
> Update comments. Optimize imports.
A few minor suggested nits.
src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java line 289:
> 287: * < length in bytes> Peer certificate
> 288: * < 1 byte > Number of Local Certificate entries
> 289: * < 1 byte > Local Certificate algorithm length
Can we add a minor doc note here to say these fields are repeated for each cert (local/peer)?
src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java line 326:
> 324: }
> 325:
> 326: this.useExtendedMasterSecret = false;
This is probably not needed, but ok to stay.
If you like this style, then you could explicitly add the default `this.preSharedKey = null` for the TLSv1.3+ case around line 340.
test/jdk/sun/security/ssl/SSLSessionImpl/ResumeChecksServer.java line 107:
> 105:
> 106: switch (testMode) {
> 107: case BASIC:
Minor nit, Oracle Code Style is (was?) to keep case at the same level as the switch. I noticed this was updated in all the different cases here.
If you're using IJ, you'll need to set the Settings->Editor->Code Style->Java->switch statement/expression->Indent case branches
test/jdk/sun/security/ssl/SSLSessionImpl/ResumeChecksServer.java line 177:
> 175:
> 176: switch (mode) {
> 177: case BASIC:
Same indentation issue here.
-------------
PR Review: https://git.openjdk.org/jdk/pull/25310#pullrequestreview-2872621088
PR Review Comment: https://git.openjdk.org/jdk/pull/25310#discussion_r2110223363
PR Review Comment: https://git.openjdk.org/jdk/pull/25310#discussion_r2112802016
PR Review Comment: https://git.openjdk.org/jdk/pull/25310#discussion_r2112970553
PR Review Comment: https://git.openjdk.org/jdk/pull/25310#discussion_r2112970801
More information about the security-dev
mailing list