> The stateless session ticket is included in the ClientHello message, either > in the stateless_ticket extension (pre-TLS1.3), or in the pre_shared_key > extension (TLS1.3). With the current construction, the ticket is often the > largest contributor to the ClientHello message size. For example, in > HttpClient tests we observed a case where a non-resumption ClientHello > occupied 360 bytes, and the session ticket (pre_shared_key identity) included > in a resumption ClientHello occupied 1600+ bytes. > > ClientHello messages that do not fit in a single packet on the network can > greatly increase the handshake time on lossy networks. Ideally we would like > the ClientHello message to always fit in a single packet. > > When using QUIC as the underlying protocol, one packet can hold approximately > 1100 byte payload. Getting the session ticket size below 700 bytes should be > sufficient to make the ClientHello fit in a single packet > > Things done in this PR to reduce the ticket size in order of importance: > > 1. Remove local certificates. > 2. Compress tickets with the size 600 bytes or larger. > 3. Remove `peerSupportedSignAlgs`. > 4. Remove `pskIdentity` > 5. PreSharedKey is only needed by TLSv1.3, masterSecret is only needed by > pre-TLSv1.3 > 6. Remove `statusResponses` > > Tickets with a chain of 2 RSA peer certificates are still above 700 bytes > (about 1KB), but they are significantly reduced from prior size of about 3KB.
Artur Barashev has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains 22 additional commits since the last revision: - Merge branch 'openjdk:master' into JDK-8357033 - Restore unit test indentation. Update comments. - Update comments. Optimize imports. - Remove unused imports - Adding a unit test check for certificates - Make sure we got the exact same cert chain. - Assume "createPossession" can return more certificates than in the session ticket - Unit test: add required module - Unit test nit: restore original check - Add a unit test. Don't break on checksum mismatch, we may get all the certificates in the end. - ... and 12 more: https://git.openjdk.org/jdk/compare/aeeba727...6d813458 ------------- Changes: - all: https://git.openjdk.org/jdk/pull/25310/files - new: https://git.openjdk.org/jdk/pull/25310/files/0f745465..6d813458 Webrevs: - full: https://webrevs.openjdk.org/?repo=jdk&pr=25310&range=13 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=25310&range=12-13 Stats: 96296 lines in 1519 files changed: 62461 ins; 25982 del; 7853 mod Patch: https://git.openjdk.org/jdk/pull/25310.diff Fetch: git fetch https://git.openjdk.org/jdk.git pull/25310/head:pull/25310 PR: https://git.openjdk.org/jdk/pull/25310
