RFR: 8357033: Reduce stateless session ticket size [v14]

Artur Barashev abarashev at openjdk.org
Thu May 29 20:31:14 UTC 2025 

> The stateless session ticket is included in the ClientHello message, either in the stateless_ticket extension (pre-TLS1.3), or in the pre_shared_key extension (TLS1.3). With the current construction, the ticket is often the largest contributor to the ClientHello message size. For example, in HttpClient tests we observed a case where a non-resumption ClientHello occupied 360 bytes, and the session ticket (pre_shared_key identity) included in a resumption ClientHello occupied 1600+ bytes.
> 
> ClientHello messages that do not fit in a single packet on the network can greatly increase the handshake time on lossy networks. Ideally we would like the ClientHello message to always fit in a single packet.
> 
> When using QUIC as the underlying protocol, one packet can hold approximately 1100 byte payload. Getting the session ticket size below 700 bytes should be sufficient to make the ClientHello fit in a single packet
> 
> Things done in this PR to reduce the ticket size in order of importance:
> 
> 1. Remove local certificates.
> 2. Compress tickets with the size 600 bytes or larger.
> 3. Remove `peerSupportedSignAlgs`.
> 4. Remove `pskIdentity`
> 5. PreSharedKey is only needed by TLSv1.3, masterSecret is only needed by pre-TLSv1.3
> 6. Remove `statusResponses`
> 
> Tickets with a chain of 2 RSA peer certificates are still above 700 bytes (about 1KB), but they are significantly reduced from prior size of about 3KB.

Artur Barashev has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains 22 additional commits since the last revision:

 - Merge branch 'openjdk:master' into JDK-8357033
 - Restore unit test indentation. Update comments.
 - Update comments. Optimize imports.
 - Remove unused imports
 - Adding a unit test check for certificates
 - Make sure we got the exact same cert chain.
 - Assume "createPossession" can return more certificates than in the session ticket
 - Unit test: add required module
 - Unit test nit: restore original check
 - Add a unit test. Don't break on checksum mismatch, we may get all the certificates in the end.
 - ... and 12 more: https://git.openjdk.org/jdk/compare/aeeba727...6d813458

-------------

Changes:
  - all: https://git.openjdk.org/jdk/pull/25310/files
  - new: https://git.openjdk.org/jdk/pull/25310/files/0f745465..6d813458

Webrevs:
 - full: https://webrevs.openjdk.org/?repo=jdk&pr=25310&range=13
 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=25310&range=12-13

  Stats: 96296 lines in 1519 files changed: 62461 ins; 25982 del; 7853 mod
  Patch: https://git.openjdk.org/jdk/pull/25310.diff
  Fetch: git fetch https://git.openjdk.org/jdk.git pull/25310/head:pull/25310

PR: https://git.openjdk.org/jdk/pull/25310

More information about the security-dev mailing list