Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8227530

Session Resumption without Server-Side State off by default

    Details

    • Type: CSR
    • Status: Closed
    • Priority: P3
    • Resolution: Approved
    • Fix Version/s: 13
    • Component/s: security-libs
    • Labels:
      None
    • Subcomponent:
    • Compatibility Kind:
      behavioral
    • Compatibility Risk:
      minimal
    • Compatibility Risk Description:
      No risk in going back
    • Interface Kind:
      System or security property
    • Scope:
      JDK

      Description

      Summary

      Change the default system properties for Session Resumption without Server-Side State to false. This sets it off by default.

      Problem

      Concerns over SSLSession API consistency for sessions that the server no longer stores. Because the stateless resumption keeps no state some of the methods of getting information about the session are no longer available. For example SSLSession.invalidate() has no mechanism to invalidate the session from resumption because there is no state kept on the server. It was initially decided that this was ok, but recently decided that the server needs a mechanism to know to invalidate the session. Additionally the RFCs state TLS session IDs can be different for resuming sessions in a stateless environment. The SSLSession.getId() returns a session identifier. There is disagreement if this method should be returning a session identifier that is consistent across resumed session that have a different TLS session ID, or if it should return the TLS session ID. The method's API doc is ambiguous. Some time soaking in 14 may help give us that answer. Some of the context that is in SSLContext does not have the same level of data, such as getting all the session id's in the servers side cache that is now blank in stateless mode. In this situation, we are unlikely to provide any extra data, but some time as an opt-in option and soak time in 14 would be good feedback.

      Solution

      Set default value for properties to false. it's better to resolve some of these issues with the stateless disabled and give users a release to test our their products as jdk14 this will be enabled by default.

      Specification

      +++ b/src/java.base/share/classes/sun/security/ssl/SSLSessionContextImpl.java   Wed Jul 10 07:38:22 2019 -0700
      @@ -234,13 +234,13 @@
               // Property for Session Cache state
               if (server) {
                   st = GetPropertyAction.privilegedGetProperty(
      -                        "jdk.tls.server.enableSessionTicketExtension", "true");
      +                        "jdk.tls.server.enableSessionTicketExtension", "false");
                   } else {
                       st = GetPropertyAction.privilegedGetProperty(
      -                        "jdk.tls.client.enableSessionTicketExtension", "true");
      +                        "jdk.tls.client.enableSessionTicketExtension", "false");

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                ascarpino Anthony Scarpino
                Reporter:
                ascarpino Anthony Scarpino
                Reviewed By:
                Xue-Lei Fan
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: