Dear all,
in Java 13 the new System properties jdk.tls.client.enableSessionTicketExtension and jdk.tls.server.enableSessionTicketExtension were introduced. In TLS 1.2 and prior these properties support stateful session resumption according to RFC 5077. In TLS 1.3, however, there is no SessionTicketExtension and it isn't clear from the description [1] what impact jdk.tls.server.enableSessionTicketExtension has in case of a TLS 1.3 connection. Question 1: Does a Java server perform on a TLS 1.3 connection a stateless resp. stateful session resumption, if jdk.tls.server.enableSessionTicketExtension is set to true resp. false? Question 2: Does the content of the NewSessionTicket message in TLS 1.3 depend on the value of jdk.tls.server.enableSessionTicketExtension? Question 2 has been shortly discussed on the mailing list [2], but I couldn't figure out what the final answer was. [1]: https://bugs.openjdk.java.net/browse/JDK-8227105 [2]: http://mail.openjdk.java.net/pipermail/security-dev/2019-July/020358.html Best regards, Ralph
