RFR: 8368514: TLS stateless session ticket decryption fails on some providers
Valerie Peng
valeriep at openjdk.org
Wed Sep 24 18:55:46 UTC 2025
On Wed, 24 Sep 2025 08:08:11 GMT, Daniel Jeliński <djelinski at openjdk.org> wrote:
> Please review this trivial patch that fixes stateless session resumption with JCE providers that require extra space for AES/GCM decryption.
>
> I modified the existing FipsModeTLS12 test to additionally verify that session resumption works. The TLS 1.3 test resumes the session using a stateless ticket; the TLS 1.2 test uses stateful sessions, because stateless ticket creation fails for other reasons.
>
> Tier1-3 tests continue to pass.
Generally looks ok, just minor comment.
src/java.base/share/classes/sun/security/ssl/SessionTicketExtension.java line 282:
> 280:
> 281: ByteBuffer out = ByteBuffer.allocate(
> 282: c.getOutputSize(data.remaining()));
add a comment to recommend about using the getOutputSize() output for buffer size. Maybe include this bug id for future reference.
-------------
PR Review: https://git.openjdk.org/jdk/pull/27463#pullrequestreview-3264249497
PR Review Comment: https://git.openjdk.org/jdk/pull/27463#discussion_r2376759921
More information about the security-dev
mailing list