Loading...

Details

Type: CSR
Resolution: Approved
Priority: P3
Fix Version/s: 12
Component/s: security-libs
Labels:
None

Subcomponent:
javax.net.ssl
Compatibility Kind:

behavioral
Compatibility Risk:
minimal
Compatibility Risk Description:
The update is about performance tuning, the compatibility impact should be minimal,
Scope:
JDK

Backports

Issue	Fix Version	Assignee	Priority	Status	Resolution	Resolved In Build
JDK-8224766	11.0.5	Paul Hohensee	P3	Closed	Approved
JDK-8224770	openjdk8u222	Paul Hohensee	P3	Closed	Approved

Description

Summary

Update the default value for the maximum number of entries in the SSL session cache (SSLSessionContext.getSessionCacheSize()).

Problem

The default value for the maximum number of entries in the SSL session cache (SSLSessionContext.getSessionCacheSize()) is infinite, and the entry timeout is 24 hours. With larger heaps, applications are running into situations where the cache ends up with several million entries at the 24 hour mark, at which time many of them are invalidated at almost the same time, which can result in multi-minute pauses, which are effectively service failures.

However, no matter what the default value is, it will not fit perfectly in all situations.

Solution

Update to use a default maximum session cache size other than infinite in JDK.

Specification

Update the SunJSSE provider to use 20480 as the default session cache size for SSLSessionContext.

Update the javax.net.ssl.SSLSessionContext specification with more clarification.

     /**
      * Sets the timeout limit for <code>SSLSession</code> objects grouped
      * under this <code>SSLSessionContext</code>.
      * <p>
      * If the timeout limit is set to 't' seconds, a session exceeds the
      * timeout limit 't' seconds after its creation time.
      * When the timeout limit is exceeded for a session, the
      * <code>SSLSession</code> object is invalidated and future connections
      * cannot resume or rejoin the session.
      * A check for sessions exceeding the timeout is made immediately whenever
      * the timeout limit is changed for this <code>SSLSessionContext</code>.
+     *
+     * @apiNote Note that the JDK Implementation uses default values for both
+     *          the session cache size and timeout.  See
+     *          {@code getSessionCacheSize} and {@code getSessionTimeout} for
+     *          more information.  Applications should consider their
+     *          performance requirements and override the defaults if necessary.
+     *
      * @param seconds the new session timeout limit in seconds; zero means
      *          there is no limit.
      *
      * @exception IllegalArgumentException if the timeout specified is {@code < 0}.
      * @see #getSessionTimeout
      */
     public void setSessionTimeout(int seconds)
             throws IllegalArgumentException;

     /**
      * Returns the timeout limit of <code>SSLSession</code> objects grouped
      * under this <code>SSLSessionContext</code>.
      * <p>
      * If the timeout limit is set to 't' seconds, a session exceeds the
      * timeout limit 't' seconds after its creation time.
      * When the timeout limit is exceeded for a session, the
      * <code>SSLSession</code> object is invalidated and future connections
      * cannot resume or rejoin the session.
      * A check for sessions exceeding the timeout limit is made immediately
      * whenever the timeout limit is changed for this
      * <code>SSLSessionContext</code>.
+     *
+     * @implNote The JDK implementation returns the session timeout as set by
+     *           the {@code setSessionTimeout} method, or if not set, a default
+     *           value of 86400 seconds (24 hours). 
+     *
      * @return the session timeout limit in seconds; zero means there is no
      *         limit.
      *
      * @see #setSessionTimeout
      */
     public int getSessionTimeout();

     /**
      * Sets the size of the cache used for storing
      * <code>SSLSession</code> objects grouped under this
      * <code>SSLSessionContext</code>.
+     *
+     * @apiNote Note that the JDK Implementation uses default values for both
+     *          the session cache size and timeout.  See
+     *          {@code getSessionCacheSize} and {@code getSessionTimeout} for
+     *          more information.  Applications should consider their
+     *          performance requirements and override the defaults if necessary.
      *
      * @param size the new session cache size limit; zero means there is no
      * limit.
      * @exception IllegalArgumentException if the specified size is {@code < 0}.
      * @see #getSessionCacheSize
      */
     public void setSessionCacheSize(int size)
          throws IllegalArgumentException;

     /**
      * Returns the size of the cache used for storing
      * <code>SSLSession</code> objects grouped under this
      * <code>SSLSessionContext</code>.
+     *
+     * @implNote The JDK implementation returns the cache size as set by
+     *           the {@code setSessionCacheSize method}, or if not set, the
+     *           value of the {@systemProperty javax.net.ssl.sessionCacheSize}
+     *           system property.  If neither is set, it returns a default
+     *           value of 20480.
      *
      * @return size of the session cache; zero means there is no size limit.
      * @see #setSessionCacheSize
      */
     public int getSessionCacheSize();

Attachments

Issue Links

backported by

JDK-8224766 Update the default SSL session cache size to 20480

Closed

JDK-8224770 Update the default SSL session cache size to 20480

Closed

csr of

JDK-8210985 Update the default SSL session cache size to 20480

Resolved

relates to

JDK-8213579 Document the System Property, javax.net.ssl.sessionCacheSize

Resolved

JDK-8248721 Backport TLSv1.3 protocol implementation

Closed

Update the default SSL session cache size to 20480