Enabling session resumption

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Enabling session resumption

Silvio Bierman
Hello all,

I run an embedded Jetty 9.4.20.v20190813 and would like to get TLS
session resumption working. I currently only support TLS 1.2/1.3 protocols.

Qualys SSL-test now says:

Session resumption (caching):    No (IDs assigned but not accepted)
Session resumption (tickets):    No

I tried sslContextFactory.setSessionCachingEnabled(true) but appearantly
that is not sufficient. Can anyone enlighten me on this subject?

Kind regards,

Silvio

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: Enabling session resumption

Simone Bordet-3
Hi,

On Fri, Sep 20, 2019 at 2:31 PM Silvio Bierman
<[hidden email]> wrote:

>
> Hello all,
>
> I run an embedded Jetty 9.4.20.v20190813 and would like to get TLS
> session resumption working. I currently only support TLS 1.2/1.3 protocols.
>
> Qualys SSL-test now says:
>
> Session resumption (caching):    No (IDs assigned but not accepted)
> Session resumption (tickets):    No
>
> I tried sslContextFactory.setSessionCachingEnabled(true) but appearantly
> that is not sufficient. Can anyone enlighten me on this subject?

I would not trust ssltest too much about this. For example it took
ages to ssllabs to say that sites were supporting TLS 1.3 (they said
no, but the sites were working *only* on TLS 1.3).

I believe that session resumption works fine, we have tests in Jetty etc.

--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: Enabling session resumption

Silvio Bierman
Thank you Simone,

I was aware of their less than up to date support for TLS1.3 which they
only recently stopped calling "experimental". It is quite disappointing
that their results are incorrect about this. We have been the subject of
quite some pen testing where ssltest is part of the analysis and their
results are taken as gospel. I will have to look into ways of providing
alternative evidence.



On 9/20/19 4:19 PM, Simone Bordet wrote:

> Hi,
>
> On Fri, Sep 20, 2019 at 2:31 PM Silvio Bierman
> <[hidden email]> wrote:
>> Hello all,
>>
>> I run an embedded Jetty 9.4.20.v20190813 and would like to get TLS
>> session resumption working. I currently only support TLS 1.2/1.3 protocols.
>>
>> Qualys SSL-test now says:
>>
>> Session resumption (caching):    No (IDs assigned but not accepted)
>> Session resumption (tickets):    No
>>
>> I tried sslContextFactory.setSessionCachingEnabled(true) but appearantly
>> that is not sufficient. Can anyone enlighten me on this subject?
> I would not trust ssltest too much about this. For example it took
> ages to ssllabs to say that sites were supporting TLS 1.3 (they said
> no, but the sites were working *only* on TLS 1.3).
>
> I believe that session resumption works fine, we have tests in Jetty etc.
>

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: Enabling session resumption

Simone Bordet-3
Hi,

On Mon, Sep 23, 2019 at 1:10 PM Silvio Bierman
<[hidden email]> wrote:
>
> Thank you Simone,
>
> I was aware of their less than up to date support for TLS1.3 which they
> only recently stopped calling "experimental". It is quite disappointing
> that their results are incorrect about this. We have been the subject of
> quite some pen testing where ssltest is part of the analysis and their
> results are taken as gospel. I will have to look into ways of providing
> alternative evidence.

Run with -Djavax.net.debug=all, you will see what the JDK TLS
implementation does, and they do print whether the session was
resumed.
Also, in Jetty, we do log in SslConnection whether the session was
resumed or not.

That should be enough to convince the pentesters.

--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: Enabling session resumption

Lothar Kimmeringer


Am 23.09.2019 um 15:13 schrieb Simone Bordet:
> Run with -Djavax.net.debug=all, you will see what the JDK TLS
> implementation does, and they do print whether the session was
> resumed.
> Also, in Jetty, we do log in SslConnection whether the session was
> resumed or not.
>
> That should be enough to convince the pentesters.

It should be obvious in a Wireshark-trace as well which might be
more suitable as "proof" when shown to pen testers who I assume
are more "fluent" in Wireshark dumps than in reading javax.net-
debug outputs.


Cheers, Lothar
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users