Hi Daniel, 

I agree that the doc is a bit misleading. Maybe, the TLS 1.2 part can be put 
into the note: 

----------------------
jdk.tls.server.enableSessionTicketExtension: Enables a server to use stateless 
session 
tickets. A value of true (default value) enables the use of stateless session 
tickets, 
false does not.

Note: In TLS 1.2 stateless session tickets will be used only if they are 
supported by the client.
---------------------

Regards 

Ralph 
 
 

Gesendet: Mittwoch, 24. März 2021 um 16:29 Uhr
Von: "Daniel Jeliński" <djelins...@gmail.com>
An: ra...@web.de
Cc: security-dev@openjdk.java.net
Betreff: Re: JSSE reference guide issue
Thanks Ralph. I figured that out already. However, the docs are
(still) a bit misleading here. Let me quote:

> For TLS 1.3, stateless tickets use the existing PSK resumption extension. 
> Therefore, session resumption **without server-site** state doesn't require 
> these two properties. However, the contents of **stateless** tickets, in 
> particular, the contents of a NewSessionTicket message, depend on the value 
> of jdk.tls.server.enableSessionTicketExtension.
(emphasis mine)

The server can use PSK for either stateful or stateless tickets, and
the choice is solely at the server's discretion, the client has no
choice here. However, the paragraph above suggests that we will not
have any server side state even with
jdk.tls.server.enableSessionTicketExtension=false, and that the
property will only change the stateless session ticket contents in
some unspecified way. I think we should use different wording here.
Regards,
Daniel

śr., 24 mar 2021 o 12:38 <ra...@web.de> napisał(a):
>
> Concerning the question:
>
> >Also the note about TLS 1.3 in the same section isn't entirely clear
> to me. What does it mean when the docs say "the contents of stateless
> >tickets, in particular, the contents of a NewSessionTicket message,
> >depend on the value of jdk.tls.server.enableSessionTicketExtension"?
>
> In TLS 1.3, if stateless session resumption is in use (i.e.
> jdk.tls.server.enableSessionTicketExtension=true) the NewSessionTicket message
> includes all session information (in encrypted format). If session resumption 
> is
> stateful (i.e. jdk.tls.server.enableSessionTicketExtension=false), the
> NewSessionTicket message just contains a key that is used by the server 
> during session
> resumption in order to access the session information from its session cache.
>
> >why should I care?
>
> The point is: In TLS 1.3 the resumption mode (stateful/stateless) can be 
> configured
> by the property jdk.tls.server.enableSessionTicketExtension (though there is 
> no
> SessionTicketExtension extension in TLS 1.3). But in JDK 14 or later,
> there is usually no need to change the default (=stateless).
>
> Regards,
>
> Ralph
>
>
>
> Gesendet: Freitag, 05. Februar 2021 um 08:42 Uhr
> Von: "Daniel Jeliński" <djelins...@gmail.com>
> An: security-dev@openjdk.java.net
> Betreff: JSSE reference guide issue
> Hi all,
> What's the right spot to report documentation issues?
>
> I've been reading the JSSE reference guide and noticed that in section
> "Resuming Session Without Server-Side State"
> (https://docs.oracle.com/en/java/javase/15/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-64D7EAF6-D2EE-4719-8616-25E2829CF810)
> it says "This feature is not enabled by default", which appears to be
> a leftover from Java 13.
>
> Also the note about TLS 1.3 in the same section isn't entirely clear
> to me. What does it mean when the docs say "the contents of stateless
> tickets, in particular, the contents of a NewSessionTicket message,
> depend on the value of jdk.tls.server.enableSessionTicketExtension"?
> How exactly does the contents change and why should I care?
> Regards,
> Daniel

Reply via email to