JDK-8046298 : Configurable to ignore session resumption
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Priority: P3
  • Status: Open
  • Resolution: Unresolved
  • Submitted: 2014-06-09
  • Updated: 2019-01-15
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Other
tbdUnresolved
Related Reports
Blocks :  
JDK-8046292 - Track NIST Special Publication 800-52
Description
It would be nice if server side can be configured to ignore session resumption, and always perform full handshaking.

Section 3.6 Session Resumption, NIST Sp 800-52 R1:
------------------------------------------------------------------------------
Typical server implementations are agreeable to resuming a previous session. This is a secure mode of operation, as the master secret is known only to the client and server, and is coupled with the initial client authentication, if client authentication was required. However, if there is a requirement to authenticate each client as it initiates a connection session, the server shall be configured to ignore requests to resume a session, and generate a new session ID, which forces the entire handshake procedure (including client authentication) to proceed.
Comments
Assigning to myself on behalf of mbalao@redhat.com, patch is in preparation.
05-06-2017
One workaround is to use set SSLSessionContext.setSessionTimeout(1);
12-05-2016