On Wed, 29 May 2024 18:53:55 GMT, Anthony Scarpino <ascarp...@openjdk.org> wrote:
> Hi > > This change is to improve TLS 1.3 session resumption by allowing a TLS server > to send more than one resumption ticket per connection and clients to store > more. Resumption is a quick way to use an existing TLS session to establish > another session by avoiding the long TLS full handshake process. In TLS 1.2 > and below, clients can repeatedly resume a session by using the session ID > from an established connection. In TLS 1.3, a one-time "resumption ticket" > is sent by the server after the TLS connection has been established. The > server may send multiple resumption tickets to help clients that rapidly > resume connections. If the client does not have another resumption ticket, > it must go through the full TLS handshake again. The current implementation > in JDK 23 and below, only sends and store one resumption ticket. > > The number of resumption tickets a server can send should be configurable by > the application developer or administrator. [RFC > 8446](https://www.rfc-editor.org/rfc/rfc8446) does not specify a default > value. A system property called `jdk.tls.server.newSessionTicketCount` > allows the user to change the number of resumption tickets sent by the > server. If this property is not set or given an invalid value, the default > value of 3 is used. Further details are in the CSR. > > A large portion of the changeset is on the client side by changing the > caching system used by TLS. It creates a new `CacheEntry<>` type called > `QueueCacheEntry<>` that will store multiple values for a Map entry. src/java.base/share/classes/sun/security/ssl/NewSessionTicket.java line 369: > 367: if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { > 368: SSLLogger.fine("No session ticket produced: " + > 369: "session timeout"); Here `session timeout` may be confused. It looks indicate the session has timed out. `T12NewSessionTicketProducer::produce` uses `Session timeout is too long. No ticket sent`. Could this log also use these wordings? src/java.base/share/classes/sun/security/util/Cache.java line 310: > 308: * method. > 309: */ > 310: Could this blank line be removed? src/java.base/share/classes/sun/security/util/Cache.java line 340: > 338: } > 339: } > 340: Could this blank line be removed? src/java.base/share/classes/sun/security/util/Cache.java line 353: > 351: * Scan all entries and remove all expired ones. > 352: */ > 353: Could this blank line be removed? test/jdk/sun/security/ssl/SSLSessionImpl/MultiNSTClient.java line 34: > 32: * @run main/othervm MultiNSTClient -Djdk.tls.client.protocols=TLSv1.3 > -Djdk.tls.server.enableSessionTicketExtension=false > -Djdk.tls.client.enableSessionTicketExtension=false > 33: * @run main/othervm MultiNSTClient -Djdk.tls.client.protocols=TLSv1.2 > -Djdk.tls.server.enableSessionTicketExtension=true > -Djdk.tls.client.enableSessionTicketExtension=true > 34: * @summary Verifies multiple session tickets are PSKs are used by JSSE Typically the`@run` lines should be the last part. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/19465#discussion_r1643986123 PR Review Comment: https://git.openjdk.org/jdk/pull/19465#discussion_r1643988261 PR Review Comment: https://git.openjdk.org/jdk/pull/19465#discussion_r1643988678 PR Review Comment: https://git.openjdk.org/jdk/pull/19465#discussion_r1643988984 PR Review Comment: https://git.openjdk.org/jdk/pull/19465#discussion_r1644028812
