Re: RFR: 8357033: Reduce stateless session ticket size [v4]

[Daniel Jeliński]

On Wed, 21 May 2025 00:18:14 GMT, Artur Barashev <abaras...@openjdk.org> wrote:

>> The stateless session ticket is included in the ClientHello message, either 
>> in the stateless_ticket extension (pre-TLS1.3), or in the pre_shared_key 
>> extension (TLS1.3). With the current construction, the ticket is often the 
>> largest contributor to the ClientHello message size. For example, in 
>> HttpClient tests we observed a case where a non-resumption ClientHello 
>> occupied 360 bytes, and the session ticket (pre_shared_key identity) 
>> included in a resumption ClientHello occupied 1600+ bytes.
>> 
>> ClientHello messages that do not fit in a single packet on the network can 
>> greatly increase the handshake time on lossy networks. Ideally we would like 
>> the ClientHello message to always fit in a single packet.
>> 
>> When using QUIC as the underlying protocol, one packet can hold 
>> approximately 1100 byte payload. Getting the session ticket size below 700 
>> bytes should be sufficient to make the ClientHello fit in a single packet
>> 
>> Things done in this PR to reduce the ticket size in order of importance:
>> 
>> 1. Remove local certificates.
>> 2. Compress tickets with the size 600 bytes or larger.
>> 3. Remove `peerSupportedSignAlgs`.
>> 4. Remove `pskIdentity`
>> 5. PreSharedKey is only needed by TLSv1.3, masterSecret is only needed by 
>> pre-TLSv1.3
>> 6. Remove `statusResponses`
>> 
>> Tickets with a chain of 2 RSA peer certificates are still above 700 bytes 
>> (about 1KB), but they are significantly reduced from prior size of about 3KB.
>
> Artur Barashev has updated the pull request incrementally with one additional 
> commit since the last revision:
> 
>   encrypt() should return an empty byte array on failure

src/java.base/share/classes/sun/security/ssl/SessionTicketExtension.java line 
304:

> 302:         private static byte[] compress(byte[] input) throws IOException {
> 303:             ByteArrayOutputStream baos = new ByteArrayOutputStream();
> 304:             GZIPOutputStream gos = new GZIPOutputStream(baos);

you lost the try-with-resources in your last push; please bring it back.

src/java.base/share/classes/sun/security/ssl/SessionTicketExtension.java line 
323:

> 321:             input.get(bytes);
> 322: 
> 323:             GZIPInputStream gis = new GZIPInputStream(

same here, please restore the try-with-resources

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/25310#discussion_r2099495293
PR Review Comment: https://git.openjdk.org/jdk/pull/25310#discussion_r2099496947