Bug ID: JDK-8211018 Session Resumption without Server-Side State

JDK-8211018 : Session Resumption without Server-Side State

Type: Enhancement
Component: security-libs
Sub-Component: javax.net.ssl

Priority: P3
Status: Resolved
Resolution: Fixed

Submitted: 2018-09-21
Updated: 2024-05-01
Resolved: 2019-06-11

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 13	JDK 14
13 b25Fixed	14Fixed

Related Reports

CSR :	JDK-8223922 - Session Resumption without Server-Side State
Duplicate :	JDK-8211017 - Support TLS 1.3 session resumption without server-side state
Duplicate :	JDK-8134497 - Add TLS support for RFC 5077 Session Ticket
Relates :	JDK-8280158 - New test from JDK-8274736 failed with/without patch in JDK11u
Relates :	JDK-8298381 - Improve handling of session tickets for multiple SSLContexts
Relates :	JDK-8236624 - Document the jdk.tls.client.enableSessionTicketExtension, jdk.tls.server.enableSessionTicketExtension and jdk.tls.server.sessionTicketTimeout system properties
Relates :	JDK-8226244 - Load balance requests across servers
Relates :	JDK-8215933 - TLS Session Resumption loses track of SSLSession values
Relates :	JDK-8225678 - sun/security/pkcs11/tls/tls12/FipsModeTLS12.java fails due to SSLProtocolException
Relates :	JDK-8227530 - Session Resumption without Server-Side State off by default
Relates :	JDK-8229149 - SSLSession.getId() always returns the TLS record session id
Relates :	JDK-8228396 - Re-enable Stateless Resumption On by default for merge to mainline
Relates :	JDK-8227551 - Session Resumption without Server-Side State off by default
Relates :	JDK-8226649 - NullPointerException (boundValues) in SSLSessionImpl methods since JDK-8211018
Relates :	JDK-8277307 - Pre shared key sent under both session_ticket and pre_shared_key extensions
Relates :	JDK-8229148 - SSLSession.invalidate() should not be implicitly required

Sub Tasks

JDK-8227105 :

Release Note: Session Resumption without Server-Side State in JSSE - Closed

Description

The server stateless session resumption specification is defined in RFC 5077 for TLS 1.2 and before, by making use of the SessionTicket extension.  This extension has been widely supported by the major TLS vendors, like OpenSSL, GnuTLS, NSS, and Microsoft, and browsers like Firefox and Google Chrome.

TLS 1.3 RFC includes new stateless resumption

Session cache management is becoming a performance and scalability bottleneck.

Comments

URL: http://hg.openjdk.java.net/jdk/jdk/rev/c2398053ee90 User: ascarpino Date: 2019-06-11 23:32:54 +0000

11-06-2019