On 12/16/19 12:02 PM, ra...@web.de wrote:
Dear all,
in Java 13 the new System properties
jdk.tls.client.enableSessionTicketExtension and
jdk.tls.server.enableSessionTicketExtension were introduced. In TLS 1.2 and
prior these properties support stateful session resumption according to RFC
5077.
In TLS 1.3, however, there is no SessionTicketExtension and it isn't clear from the description [1] what impact jdk.tls.server.enableSessionTicketExtension has in case of a TLS 1.3 connection.
Question 1: Does a Java server perform on a TLS 1.3 connection a stateless resp. stateful session resumption, if
jdk.tls.server.enableSessionTicketExtension is set to true resp. false?
Yes
Question 2: Does the content of the NewSessionTicket message in TLS 1.3 depend on the value of jdk.tls.server.enableSessionTicketExtension?
Yes
Tony
Question 2 has been shortly discussed on the mailing list [2], but I couldn't figure out what the final answer was.
[1]: https://bugs.openjdk.java.net/browse/JDK-8227105
[2]: http://mail.openjdk.java.net/pipermail/security-dev/2019-July/020358.html
Best regards,
Ralph