On Wed, 24 Sep 2025 08:08:11 GMT, Daniel Jeliński <[email protected]> wrote:
> Please review this trivial patch that fixes stateless session resumption with > JCE providers that require extra space for AES/GCM decryption. > > I modified the existing FipsModeTLS12 test to additionally verify that > session resumption works. The TLS 1.3 test resumes the session using a > stateless ticket; the TLS 1.2 test uses stateful sessions, because stateless > ticket creation fails for other reasons. > > Tier1-3 tests continue to pass. test/jdk/sun/security/pkcs11/tls/tls12/FipsModeTLS12.java line 35: > 33: * @run main/othervm/timeout=120 -Djdk.tls.client.protocols=TLSv1.2 > 34: * -Djdk.tls.useExtendedMasterSecret=false > 35: * -Djdk.tls.client.enableSessionTicketExtension=false FipsModeTLS12 Why do we need to set `jdk.tls.client.enableSessionTicketExtension` to false? test/jdk/sun/security/pkcs11/tls/tls12/FipsModeTLS12.java line 282: > 280: SSLEngine clientSSLEngine = engineToTest[0]; > 281: SSLEngine serverSSLEngine = engineToTest[1]; > 282: // Check that session resumption works I would put more details in this comment about what exactly we are testing here: stateless session ticket decryption using the most preferred currently installed provider - NSS. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/27463#discussion_r2376211880 PR Review Comment: https://git.openjdk.org/jdk/pull/27463#discussion_r2376204562
