Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8213577

Update the default SSL session cache size to 20480

    Details

    • Type: CSR
    • Status: Closed
    • Priority: P3
    • Resolution: Approved
    • Fix Version/s: 12
    • Component/s: security-libs
    • Labels:
      None
    • Subcomponent:
    • Compatibility Kind:
      behavioral
    • Compatibility Risk:
      minimal
    • Compatibility Risk Description:
      The update is about performance tuning, the compatibility impact should be minimal,
    • Scope:
      JDK

      Backports

        Description

        Summary

        Update the default value for the maximum number of entries in the SSL session cache (SSLSessionContext.getSessionCacheSize()).

        Problem

        The default value for the maximum number of entries in the SSL session cache (SSLSessionContext.getSessionCacheSize()) is infinite, and the entry timeout is 24 hours. With larger heaps, applications are running into situations where the cache ends up with several million entries at the 24 hour mark, at which time many of them are invalidated at almost the same time, which can result in multi-minute pauses, which are effectively service failures.

        However, no matter what the default value is, it will not fit perfectly in all situations.

        Solution

        Update to use a default maximum session cache size other than infinite in JDK.

        Specification

        1. Update the SunJSSE provider to use 20480 as the default session cache size for SSLSessionContext.
        2. Update the javax.net.ssl.SSLSessionContext specification with more clarification.

               /**
                * Sets the timeout limit for <code>SSLSession</code> objects grouped
                * under this <code>SSLSessionContext</code>.
                * <p>
                * If the timeout limit is set to 't' seconds, a session exceeds the
                * timeout limit 't' seconds after its creation time.
                * When the timeout limit is exceeded for a session, the
                * <code>SSLSession</code> object is invalidated and future connections
                * cannot resume or rejoin the session.
                * A check for sessions exceeding the timeout is made immediately whenever
                * the timeout limit is changed for this <code>SSLSessionContext</code>.
          +     *
          +     * @apiNote Note that the JDK Implementation uses default values for both
          +     *          the session cache size and timeout.  See
          +     *          {@code getSessionCacheSize} and {@code getSessionTimeout} for
          +     *          more information.  Applications should consider their
          +     *          performance requirements and override the defaults if necessary.
          +     *
                * @param seconds the new session timeout limit in seconds; zero means
                *          there is no limit.
                *
                * @exception IllegalArgumentException if the timeout specified is {@code < 0}.
                * @see #getSessionTimeout
                */
               public void setSessionTimeout(int seconds)
                       throws IllegalArgumentException;
          
               /**
                * Returns the timeout limit of <code>SSLSession</code> objects grouped
                * under this <code>SSLSessionContext</code>.
                * <p>
                * If the timeout limit is set to 't' seconds, a session exceeds the
                * timeout limit 't' seconds after its creation time.
                * When the timeout limit is exceeded for a session, the
                * <code>SSLSession</code> object is invalidated and future connections
                * cannot resume or rejoin the session.
                * A check for sessions exceeding the timeout limit is made immediately
                * whenever the timeout limit is changed for this
                * <code>SSLSessionContext</code>.
          +     *
          +     * @implNote The JDK implementation returns the session timeout as set by
          +     *           the {@code setSessionTimeout} method, or if not set, a default
          +     *           value of 86400 seconds (24 hours). 
          +     *
                * @return the session timeout limit in seconds; zero means there is no
                *         limit.
                *
                * @see #setSessionTimeout
                */
               public int getSessionTimeout();
          
               /**
                * Sets the size of the cache used for storing
                * <code>SSLSession</code> objects grouped under this
                * <code>SSLSessionContext</code>.
          +     *
          +     * @apiNote Note that the JDK Implementation uses default values for both
          +     *          the session cache size and timeout.  See
          +     *          {@code getSessionCacheSize} and {@code getSessionTimeout} for
          +     *          more information.  Applications should consider their
          +     *          performance requirements and override the defaults if necessary.
                *
                * @param size the new session cache size limit; zero means there is no
                * limit.
                * @exception IllegalArgumentException if the specified size is {@code < 0}.
                * @see #getSessionCacheSize
                */
               public void setSessionCacheSize(int size)
                    throws IllegalArgumentException;
          
               /**
                * Returns the size of the cache used for storing
                * <code>SSLSession</code> objects grouped under this
                * <code>SSLSessionContext</code>.
          +     *
          +     * @implNote The JDK implementation returns the cache size as set by
          +     *           the {@code setSessionCacheSize method}, or if not set, the
          +     *           value of the {@systemProperty javax.net.ssl.sessionCacheSize}
          +     *           system property.  If neither is set, it returns a default
          +     *           value of 20480.
                *
                * @return size of the session cache; zero means there is no size limit.
                * @see #setSessionCacheSize
                */
               public int getSessionCacheSize();

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  xuelei Xue-Lei Fan
                  Reporter:
                  phh Paul Hohensee
                  Reviewed By:
                  Jamil Nimeh
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: