On 5/24/19 6:44 AM, Xuelei Fan wrote:
jdk.tls.server.sessionTicketTimeout:
Could we use the SSLSessionContext.getSessionTimeout() value for ticket
session timeout?
The property is meant to complement the API. getSessionTimeout() will
return the value of the property if it is set.
I think this is the best choice because we can't assume the servers
allow a user to change the timeout. For example in testing, if we don't
have a property, the test has to be hardcoded for particular times.
I thought using the same timeout for both the cache and the stateless
sessions made the most sense
jdk.tls.server.statelessKeyTimeout:
We may extend to use external key and key rotation to improve
scalability. I was wondering, if it is possible to remove the property
by using implicit key usage limit (as TLS 1.3 key usage limit,
uncustomizable) rather than timeout?
--- cut-n-paste from the other thread---
The spec says the keys need to be rotated regularly. Of course
"regularly" is up for interpretation. If a usage limit is implemented
and the server is not frequently used, it's possible to have the same
key used for the entire span of the session timeout. I don't feel that
is often enough.
-----
Thanks,
Xuelei
On 5/21/2019 4:24 PM, Anthony Scarpino wrote:
Hi All,
Please review the CSR for the stateless Server Side
https://bugs.openjdk.java.net/browse/JDK-8223922
thanks
Tony
