Hi,
That's an interesting idea. I don't think a method in SSLSession would
be the right place for such a method, maybe SSLContext given it's a
server side operation affecting many sessions. If we do enhance the API
for stateless operations, that would be a reasonable addition.
Thanks for the input
Tony
On 6/15/20 6:43 PM, Bernd Eckenfels wrote:
Hello,
The change seems reasonable, but should there maybe a method to refresh
temporary keys used for those session tokens - I.e. "invalidate all" and
link to that so specific implementations are encourages to offer such an
API.
Gruss
Bernd
--
http://bernd.eckenfels.net
------------------------------------------------------------------------
*Von:* security-dev <security-dev-boun...@openjdk.java.net> im Auftrag
von Anthony Scarpino <anthony.scarp...@oracle.com>
*Gesendet:* Tuesday, June 16, 2020 2:42:32 AM
*An:* OpenJDK Security <security-dev@openjdk.java.net>
*Betreff:* Re: [RFR] 8229148: SSLSession.invalidate() does not
invalidate stateless tickets
The specifications for TLS 1.3 (RFC 8446) and Stateless Resumption for
TLS 1.2 (RFC 5077) does not define session invalidation. Additionally,
RFC 5077 provides research that it is unnecessary. This change is to
clarify that session invalidation method in the Java API, in
javax.net.ssl.SSLSession.invalidate(), may not be supported in some
circumstances.
The CSR is: https://bugs.openjdk.java.net/browse/JDK-8243678
The webrev is inline:
src/java.base/share/classes/javax/net/ssl/SSLSession.java
@@ -129,6 +129,12 @@
* using this session can continue to use the session until the
* connection is closed.
*
+ * @apiNote
+ * This operation is optional as the implementation may not support
+ * session invalidation. This could occur with implementations of
+ * Stateless Resumption (RFC 5077) and/or TLS 1.3 (RFC 8446) which
+ * do not specify session invalidation.
+ *
* @see #isValid()
*/
public void invalidate();
