On Tue, 18 Jun 2024 07:41:06 GMT, John Jiang <jji...@openjdk.org> wrote:
>> Hi >> >> This change is to improve TLS 1.3 session resumption by allowing a TLS >> server to send more than one resumption ticket per connection and clients to >> store more. Resumption is a quick way to use an existing TLS session to >> establish another session by avoiding the long TLS full handshake process. >> In TLS 1.2 and below, clients can repeatedly resume a session by using the >> session ID from an established connection. In TLS 1.3, a one-time >> "resumption ticket" is sent by the server after the TLS connection has been >> established. The server may send multiple resumption tickets to help >> clients that rapidly resume connections. If the client does not have >> another resumption ticket, it must go through the full TLS handshake again. >> The current implementation in JDK 23 and below, only sends and store one >> resumption ticket. >> >> The number of resumption tickets a server can send should be configurable by >> the application developer or administrator. [RFC >> 8446](https://www.rfc-editor.org/rfc/rfc8446) does not specify a default >> value. A system property called `jdk.tls.server.newSessionTicketCount` >> allows the user to change the number of resumption tickets sent by the >> server. If this property is not set or given an invalid value, the default >> value of 3 is used. Further details are in the CSR. >> >> A large portion of the changeset is on the client side by changing the >> caching system used by TLS. It creates a new `CacheEntry<>` type called >> `QueueCacheEntry<>` that will store multiple values for a Map entry. > > src/java.base/share/classes/sun/security/ssl/NewSessionTicket.java line 369: > >> 367: if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { >> 368: SSLLogger.fine("No session ticket produced: " + >> 369: "session timeout"); > > Here `session timeout` may be confused. > It looks indicate the session has timed out. > > `T12NewSessionTicketProducer::produce` uses `Session timeout is too long. No > ticket sent`. > Could this log also use these wordings? All the T13 log messages use the same format. I agree it is different from the T12 log messages, but it helps distinguish the failures for different protocols. Thought saying "session timed out" is probably better ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/19465#discussion_r1645234984
