Hello, Some time ago I filed an issue on bugreport (https://bugs.openjdk.java.net/browse/JDK-8277881) about the issue where Java does not fill SessionID field in ClientHello message when resuming a TLS 1.3 session.
The SessionID field is not required by TLS1.3; its resumption mechanism relies on PSKs. The field was only added in "middlebox compatibility mode" to fool network devices that are not aware of TLS1.3 and expect a 2RTT handshake unless SessionID is present. Java runs in compatibility mode by default, and sends a non-empty SessionID on the initial handshake. However, if a TLS 1.3 session is established during the initial connection, subsequent handshakes send an empty SessionID. Our customer reported an issue where our Java application was unable to reliably establish a connection to a customer-provided server. When we examined a tcpdump of a successful and a failed connection, the only difference was in the SessionID field. Indeed, when we run the application with jdk.tls.client.useCompatibilityMode set to false, all connection attempts fail. In https://github.com/openjdk/jdk/pull/6583 I propose a patch to set a non-empty SessionID in TLS 1.3 ClientHello when running in compatibility mode, even when resuming a TLS 1.3 session. Let me know if there's anything else I can do to get the issue fixed. Regards, Daniel
