JDK-8286433 : Cache certificates decoded from TLS session tickets
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 17,19
  • Priority: P4
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2022-05-09
  • Updated: 2025-05-16
  • Resolved: 2022-05-12
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 19
19 b23Fixed
Related Reports
Relates :  
JDK-8357033 - Reduce stateless session ticket size
Description
When a TLS server resumes a session from a stateless session ticket, it reads the local and the peer certificate chains from the ticket, creating unique X509CertImpl objects for every resumed session.

The same local certificates are usually used across many resumed connections. Reusing the same certificate objects instead of generating new ones every time will reduce the amount of memory needed to resume a TLS session.
Comments
There are a couple other places in the JDK that instantiate X509CertImpl objects directly that could probably take advantage of this improvement: - sun/security/provider/certpath/OCSPResponse.java - sun/security/pkcs/PKCS7.java The impact is probably not as significant as for this fix. But noting here for future reference as something to look into.
13-05-2022
Changeset: 96d48f38 Author: Daniel JeliƄski <djelinski@openjdk.org> Date: 2022-05-12 06:48:38 +0000 URL: https://git.openjdk.java.net/jdk/commit/96d48f386b59096c6d1c88c142037c44db5ccacf
12-05-2022
A pull request was submitted for review. URL: https://git.openjdk.java.net/jdk/pull/8608 Date: 2022-05-09 19:38:36 +0000
09-05-2022