> I've been reading the JSSE reference guide and noticed that in section
> "Resuming Session Without Server-Side State"
>
(https://docs.oracle.com/en/java/javase/15/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-64D7EAF6-D2EE-4719-8616-25E2829CF810)
> it says "This feature is not enabled by default", which appears to be
> a leftover from Java 13.
That was fixed in the JDK 16 docs:
https://docs.oracle.com/en/java/javase/16/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-64D7EAF6-D2EE-4719-8616-25E2829CF810
I have forwarded your other suggestions for improvements to our docs writer.
Thanks,
Sean
On 3/24/21 7:38 AM, ra...@web.de wrote:
Concerning the question:
Also the note about TLS 1.3 in the same section isn't entirely clear
to me. What does it mean when the docs say "the contents of stateless
tickets, in particular, the contents of a NewSessionTicket message,
depend on the value of jdk.tls.server.enableSessionTicketExtension"?
In TLS 1.3, if stateless session resumption is in use (i.e.
jdk.tls.server.enableSessionTicketExtension=true) the NewSessionTicket message
includes all session information (in encrypted format). If session resumption is
stateful (i.e. jdk.tls.server.enableSessionTicketExtension=false), the
NewSessionTicket message just contains a key that is used by the server during
session
resumption in order to access the session information from its session cache.
why should I care?
The point is: In TLS 1.3 the resumption mode (stateful/stateless) can be
configured
by the property jdk.tls.server.enableSessionTicketExtension (though there is no
SessionTicketExtension extension in TLS 1.3). But in JDK 14 or later,
there is usually no need to change the default (=stateless).
Regards,
Ralph
Gesendet: Freitag, 05. Februar 2021 um 08:42 Uhr
Von: "Daniel Jeliński" <djelins...@gmail.com>
An: security-dev@openjdk.java.net
Betreff: JSSE reference guide issue
Hi all,
What's the right spot to report documentation issues?
I've been reading the JSSE reference guide and noticed that in section
"Resuming Session Without Server-Side State"
(https://docs.oracle.com/en/java/javase/15/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-64D7EAF6-D2EE-4719-8616-25E2829CF810)
it says "This feature is not enabled by default", which appears to be
a leftover from Java 13.
Also the note about TLS 1.3 in the same section isn't entirely clear
to me. What does it mean when the docs say "the contents of stateless
tickets, in particular, the contents of a NewSessionTicket message,
depend on the value of jdk.tls.server.enableSessionTicketExtension"?
How exactly does the contents change and why should I care?
Regards,
Daniel
