On Wed, 24 Sep 2025 15:34:55 GMT, Artur Barashev <abaras...@openjdk.org> wrote:
>> Please review this trivial patch that fixes stateless session resumption >> with JCE providers that require extra space for AES/GCM decryption. >> >> I modified the existing FipsModeTLS12 test to additionally verify that >> session resumption works. The TLS 1.3 test resumes the session using a >> stateless ticket; the TLS 1.2 test uses stateful sessions, because stateless >> ticket creation fails for other reasons. >> >> Tier1-3 tests continue to pass. > > test/jdk/sun/security/pkcs11/tls/tls12/FipsModeTLS12.java line 282: > >> 280: SSLEngine clientSSLEngine = engineToTest[0]; >> 281: SSLEngine serverSSLEngine = engineToTest[1]; >> 282: // Check that session resumption works > > I would put more details in this comment about what exactly we are testing > here: stateless session ticket decryption using the most preferred currently > installed provider - NSS. well, thing is, we only check that the session resumption works. The TLS 1.2 case is testing the stateful resumption, the TLS 1.3 case is testing the stateless resumption, end to end. Stateless session ticket decryption just happens to be the only detail that needed to be fixed for the session resumption to work. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/27463#discussion_r2376303887
