JSSE reference guide issue
Sean Mullan
sean.mullan at oracle.com
Thu Mar 25 20:05:57 UTC 2021
> I've been reading the JSSE reference guide and noticed that in section
> "Resuming Session Without Server-Side State"
>
(https://docs.oracle.com/en/java/javase/15/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-64D7EAF6-D2EE-4719-8616-25E2829CF810)
> it says "This feature is not enabled by default", which appears to be
> a leftover from Java 13.
That was fixed in the JDK 16 docs:
https://docs.oracle.com/en/java/javase/16/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-64D7EAF6-D2EE-4719-8616-25E2829CF810
I have forwarded your other suggestions for improvements to our docs writer.
Thanks,
Sean
On 3/24/21 7:38 AM, raell at web.de wrote:
> Concerning the question:
>
>> Also the note about TLS 1.3 in the same section isn't entirely clear
> to me. What does it mean when the docs say "the contents of stateless
>> tickets, in particular, the contents of a NewSessionTicket message,
>> depend on the value of jdk.tls.server.enableSessionTicketExtension"?
>
> In TLS 1.3, if stateless session resumption is in use (i.e.
> jdk.tls.server.enableSessionTicketExtension=true) the NewSessionTicket message
> includes all session information (in encrypted format). If session resumption is
> stateful (i.e. jdk.tls.server.enableSessionTicketExtension=false), the
> NewSessionTicket message just contains a key that is used by the server during session
> resumption in order to access the session information from its session cache.
>
>> why should I care?
>
> The point is: In TLS 1.3 the resumption mode (stateful/stateless) can be configured
> by the property jdk.tls.server.enableSessionTicketExtension (though there is no
> SessionTicketExtension extension in TLS 1.3). But in JDK 14 or later,
> there is usually no need to change the default (=stateless).
>
> Regards,
>
> Ralph
>
>
>
> Gesendet: Freitag, 05. Februar 2021 um 08:42 Uhr
> Von: "Daniel Jeliński" <djelinski1 at gmail.com>
> An: security-dev at openjdk.java.net
> Betreff: JSSE reference guide issue
> Hi all,
> What's the right spot to report documentation issues?
>
> I've been reading the JSSE reference guide and noticed that in section
> "Resuming Session Without Server-Side State"
> (https://docs.oracle.com/en/java/javase/15/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-64D7EAF6-D2EE-4719-8616-25E2829CF810)
> it says "This feature is not enabled by default", which appears to be
> a leftover from Java 13.
>
> Also the note about TLS 1.3 in the same section isn't entirely clear
> to me. What does it mean when the docs say "the contents of stateless
> tickets, in particular, the contents of a NewSessionTicket message,
> depend on the value of jdk.tls.server.enableSessionTicketExtension"?
> How exactly does the contents change and why should I care?
> Regards,
> Daniel
>
More information about the security-dev
mailing list