Hi Raveena,
> On Jun 23, 2025, at 10:35 AM, Raveena Kushwah <raveenakushwa...@gmail.com> > wrote: > > Hi All > > This is first time that I'm asking a question here, please let me > know if any other details required. > > We are having an application which sents a request to tomcat server using > https. With tls1. 2 protocol being used, session tickets are supported at > client end, server is tomcat which internally uses JSSE and we are using jdk > 17. > > During first handshake, it's observed that handshake is successful with new > session ticket being sent by server at end of handshake. > > The client stores the session ticket and sends it back to the server in the > client Hello which is accepted by server and with debugging it's confirmed > that the session is valid and moving ahead for resumption. > > This is further confirmed with server replying back with same session id in > serverHello message which client has sended in clientHello message. > > but observed that new session ticket is sent back to client in next step. > > Post referring to RFC 5077, it was cleared that post successful session > resumption, server may send new session ticket for more security (sent with > tomcat server using JSSE everytime during session resumption) . > > I would like to ask if there is a way to disable this and only get session > ticket once with first handshake (or if session expired, invalid..) and not > when session validation is successful but still session ticket is being sent > during session resumption? The behavior you were seeing is expected and compliant according to RFC 5077. Session tickets are either ON or OFF globally and configured by the system property “jdk.tls.server.enableSessionTicketExtension” . Once it is enabled, there isn’t a way to prevent NewSessionTicket from being sent after successful session resumption. > > Would be great if this question could be answered as this would help us a lot > with fixing our application issue 😊 > > Regards > Raveena Regards, Hai-May
