On Mon, 19 May 2025 15:13:26 GMT, Hai-May Chao <hc...@openjdk.org> wrote:
>> Bradford Wetmore has updated the pull request incrementally with one
>> additional commit since the last revision:
>>
>> Updated copyright dates.
>
> src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java line 1623:
>
>> 1621: } finally {
>> 1622: KeyUtil.destroySecretKeys(derivedSecret);
>> 1623: }
>
> The `derivedSecret` is destroyed and cleared. How about
> `exporterMasterSecret`? Shall we also destroy it perhaps when the session is
> invalidated or closed?
In RFC 8446/Section 7.1, the "derived" secret and "Master Secret" are temporary
variables used to derive the application secrets, the exporter_master_secret,
and the resumption_master_secret. These variables are long-lived and don't
need to be cleared like these two.
When we invalidate a session, that simply marks the session as unresumable, and
doesn't destroy the session for active connections. We don't "close" sessions.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24976#discussion_r2096432034
