Concerning the question: >Also the note about TLS 1.3 in the same section isn't entirely clear to me. What does it mean when the docs say "the contents of stateless >tickets, in particular, the contents of a NewSessionTicket message, >depend on the value of jdk.tls.server.enableSessionTicketExtension"?
In TLS 1.3, if stateless session resumption is in use (i.e. jdk.tls.server.enableSessionTicketExtension=true) the NewSessionTicket message includes all session information (in encrypted format). If session resumption is stateful (i.e. jdk.tls.server.enableSessionTicketExtension=false), the NewSessionTicket message just contains a key that is used by the server during session resumption in order to access the session information from its session cache. >why should I care? The point is: In TLS 1.3 the resumption mode (stateful/stateless) can be configured by the property jdk.tls.server.enableSessionTicketExtension (though there is no SessionTicketExtension extension in TLS 1.3). But in JDK 14 or later, there is usually no need to change the default (=stateless). Regards, Ralph Gesendet: Freitag, 05. Februar 2021 um 08:42 Uhr Von: "Daniel Jeliński" <djelins...@gmail.com> An: security-dev@openjdk.java.net Betreff: JSSE reference guide issue Hi all, What's the right spot to report documentation issues? I've been reading the JSSE reference guide and noticed that in section "Resuming Session Without Server-Side State" (https://docs.oracle.com/en/java/javase/15/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-64D7EAF6-D2EE-4719-8616-25E2829CF810) it says "This feature is not enabled by default", which appears to be a leftover from Java 13. Also the note about TLS 1.3 in the same section isn't entirely clear to me. What does it mean when the docs say "the contents of stateless tickets, in particular, the contents of a NewSessionTicket message, depend on the value of jdk.tls.server.enableSessionTicketExtension"? How exactly does the contents change and why should I care? Regards, Daniel
