Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8223922

Session Resumption without Server-Side State

    Details

    • Type: CSR
    • Status: Closed
    • Priority: P3
    • Resolution: Approved
    • Fix Version/s: 13
    • Component/s: security-libs
    • Labels:
      None
    • Subcomponent:
    • Compatibility Risk:
      minimal
    • Compatibility Risk Description:
      This is enabled by default. If any incompatibilities with the Session Ticket Extension occur, these properties can be disabled. Interop testing shows no problems.
    • Interface Kind:
      System or security property
    • Scope:
      JDK

      Description

      Summary

      Support stateless session resumption (RFC 5077 and RFC 8446) in the JDK TLS implementation.

      Problem

      Currently, in the JDK TLS implementation, the server caches the session resumption data for each clients. The cache could hurt the performance in various aspects: memory, garbage collection, synchronization and load balance.

      Solution:

      For TLS 1.2 and prior versions, RFC 5077 defines a TLS extension, SessionTicket, for session resumption without server side state. Support for this TLS extension will be added to the SunJSSE provider.

      For TLS 1.3, RFC 8446 defines a mechanism for stateless session resumption. This mechanism will be implemented in the SunJSSE provider.

      Specification:

      Support the SessionTicket extension for TLS 1.2 and prior versions, and the stateless session resumption for TLS 1.3. There are no public APIs changes. Almost all of changes are contained within the JDK internal SunJSSE provider code.

      The following two System properties will be added, just in case of any compatibility issues if a peer cannot handle the SessionTicket extension properly, or applications don't want the extension:

      jdk.tls.client.enableSessionTicketExtension is used on the TLS 1.2 and prior versions client side to toggle the Session Ticket Extension on the ClientHello message. Property value: "true" sends the extension (default value), "false" does not.

      jdk.tls.server.enableSessionTicketExtension enables a TLS 1.2 and prior versions server to use stateless session tickets if the client supports it. Client's that do not support stateless session tickets will use the cache. Property value: "true" enables stateless (default value), "false" does not.

      For TLS 1.3, stateless tickets use the existing PSK resumption extension in (RFC 8446), which require no properties or settings.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                ascarpino Anthony Scarpino
                Reporter:
                xuelei Xue-Lei Fan
                Reviewed By:
                Xue-Lei Fan
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: