Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8224766

Update the default SSL session cache size to 20480

    XMLWordPrintable

Details

    • CSR
    • Resolution: Approved
    • P3
    • 11.0.5
    • security-libs
    • None

    Description

      Summary

      Update the default value for the maximum number of entries in the SSL session cache (SSLSessionContext.getSessionCacheSize()).

      Problem

      The default value for the maximum number of entries in the SSL session cache (SSLSessionContext.getSessionCacheSize()) is infinite, and the entry timeout is 24 hours. With larger heaps, applications are running into situations where the cache ends up with several million entries at the 24 hour mark, at which time many of them are invalidated at almost the same time, which can result in multi-minute pauses, which are effectively service failures.

      However, no matter what the default value is, it will not fit perfectly in all situations.

      Solution

      Update to use a default maximum session cache size other than infinite in JDK.

      Specification

      1. Update the SunJSSE provider to use 20480 as the default session cache size for SSLSessionContext.

      2. Update the javax.net.ssl.SSLSessionContext specification with more clarification.

             /**
      * Sets the timeout limit for <code>SSLSession</code> objects grouped
      * under this <code>SSLSessionContext</code>.
      * <p>
      * If the timeout limit is set to 't' seconds, a session exceeds the
      * timeout limit 't' seconds after its creation time.
      * When the timeout limit is exceeded for a session, the
      * <code>SSLSession</code> object is invalidated and future connections
      * cannot resume or rejoin the session.
      * A check for sessions exceeding the timeout is made immediately whenever
      * the timeout limit is changed for this <code>SSLSessionContext</code>.
+     *
+     * @apiNote Note that the JDK Implementation uses default values for both
+     *          the session cache size and timeout.  See
+     *          {@code getSessionCacheSize} and {@code getSessionTimeout} for
+     *          more information.  Applications should consider their
+     *          performance requirements and override the defaults if necessary.
+     *
      * @param seconds the new session timeout limit in seconds; zero means
      *          there is no limit.
      *
      * @exception IllegalArgumentException if the timeout specified is {@code < 0}.
      * @see #getSessionTimeout
      */
     public void setSessionTimeout(int seconds)
             throws IllegalArgumentException;

     /**
      * Returns the timeout limit of <code>SSLSession</code> objects grouped
      * under this <code>SSLSessionContext</code>.
      * <p>
      * If the timeout limit is set to 't' seconds, a session exceeds the
      * timeout limit 't' seconds after its creation time.
      * When the timeout limit is exceeded for a session, the
      * <code>SSLSession</code> object is invalidated and future connections
      * cannot resume or rejoin the session.
      * A check for sessions exceeding the timeout limit is made immediately
      * whenever the timeout limit is changed for this
      * <code>SSLSessionContext</code>.
+     *
+     * @implNote The JDK implementation returns the session timeout as set by
+     *           the {@code setSessionTimeout} method, or if not set, a default
+     *           value of 86400 seconds (24 hours). 
+     *
      * @return the session timeout limit in seconds; zero means there is no
      *         limit.
      *
      * @see #setSessionTimeout
      */
     public int getSessionTimeout();

     /**
      * Sets the size of the cache used for storing
      * <code>SSLSession</code> objects grouped under this
      * <code>SSLSessionContext</code>.
+     *
+     * @apiNote Note that the JDK Implementation uses default values for both
+     *          the session cache size and timeout.  See
+     *          {@code getSessionCacheSize} and {@code getSessionTimeout} for
+     *          more information.  Applications should consider their
+     *          performance requirements and override the defaults if necessary.
      *
      * @param size the new session cache size limit; zero means there is no
      * limit.
      * @exception IllegalArgumentException if the specified size is {@code < 0}.
      * @see #getSessionCacheSize
      */
     public void setSessionCacheSize(int size)
          throws IllegalArgumentException;

     /**
      * Returns the size of the cache used for storing
      * <code>SSLSession</code> objects grouped under this
      * <code>SSLSessionContext</code>.
+     *
+     * @implNote The JDK implementation returns the cache size as set by
+     *           the {@code setSessionCacheSize method}, or if not set, the
+     *           value of the {@systemProperty javax.net.ssl.sessionCacheSize}
+     *           system property.  If neither is set, it returns a default
+     *           value of 20480.
      *
      * @return size of the session cache; zero means there is no size limit.
      * @see #setSessionCacheSize
      */
     public int getSessionCacheSize();

      Attachments

        Issue Links

          backport of

          CSR - null JDK-8213577 Update the default SSL session cache size to 20480

          • P3 - Major loss of function.
          • Closed
          csr of

          Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8224765 Update the default SSL session cache size to 20480

          • P3 - Major loss of function.
          • Resolved

          Activity

            People

              phh Paul Hohensee
              phh Paul Hohensee
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: