-
Bug
-
Resolution: Unresolved
-
P4
-
None
-
26
-
None
Observed when working on JDK-8368514. When TLS 1.2 is in use, stateless session ticket is requested, and the master key is not extractable (for example when working with NSS provider in FIPS mode), session ticket creation fails with the following log output:
```
javax.net.ssl|TRACE|42|MainThread|2025-09-24 18:13:29.833 CEST|SSLSessionImpl.java:260|Session initialized: Session(1758730409771|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
javax.net.ssl|TRACE|42|MainThread|2025-09-24 18:13:29.833 CEST|SSLSessionImpl.java:486|No MasterSecret, cannot make stateless ticket
javax.net.ssl|DEBUG|42|MainThread|2025-09-24 18:13:29.833 CEST|NewSessionTicket.java:544|Produced NewSessionTicket stateless handshake message (
"NewSessionTicket": {
"ticket_lifetime" : "86,400",
"ticket" : {
}'}
)
```
TLS 1.3 uses a different mechanism to generate stateless session tickets and is not affected. Stateful session resumption works correctly.
```
javax.net.ssl|TRACE|42|MainThread|2025-09-24 18:13:29.833 CEST|SSLSessionImpl.java:260|Session initialized: Session(1758730409771|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
javax.net.ssl|TRACE|42|MainThread|2025-09-24 18:13:29.833 CEST|SSLSessionImpl.java:486|No MasterSecret, cannot make stateless ticket
javax.net.ssl|DEBUG|42|MainThread|2025-09-24 18:13:29.833 CEST|NewSessionTicket.java:544|Produced NewSessionTicket stateless handshake message (
"NewSessionTicket": {
"ticket_lifetime" : "86,400",
"ticket" : {
}'}
)
```
TLS 1.3 uses a different mechanism to generate stateless session tickets and is not affected. Stateful session resumption works correctly.
- relates to
-
-
- Resolved
-