-
Notifications
You must be signed in to change notification settings - Fork 5.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
8298381: Improve handling of session tickets for multiple SSLContexts #11590
Conversation
👋 Welcome back simonis! A progress list of the required criteria for merging this PR into |
Webrevs
|
I have asked some of the next questions already here. Would like to mention some of them;
|
src/java.base/share/classes/sun/security/ssl/SessionTicketExtension.java
Show resolved
Hide resolved
src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
Outdated
Show resolved
Hide resolved
I can't answer this for sure but at least I haven't found any documentation which would prevent multi-threaded usage. On the other hand,
So this comment will probably have to be removed once we move the session ticket key (i.e.
You're right, but that's actually an improvement compared to the initial implementation where cleanup/destroy wasn't synchronized at all :) With regards to the missing synchronization of key usage and key destruction, I think this patch doesn't change the existing behavior because it wasn't synchronized before either. On the other hand, this patch fixes the implementation such that it only creates new tickets every hour (i.e.
With this change there will be no duplicate key IDs per context, only different contexts might eventually use the same session key (i.e. |
That's obviously not the expected behaviors. It is a good catch for the What do you think to move |
I think behavior is changed, since the synchronization problem was hidden by generation of many keys. And if we start to use one key by many threads, we will need to carefully sync it, but if we just add synchronization per ssl contex we will make encode/decode methods single threaded per ssl context, which is unfortunate. |
Do you propose to only move Also, I assume you'd probably like to keep it in |
Not sure what you mean? Do you refer to the
|
If we think that all that try/catch blocks in the encode/cleanup will save us, then why we added the sync block around cleanup. But If we try synchronize work with keys, and added the new block around cleanup then why the usage of the keys(who call getCurrentKey) are not synchronized by anything, am I not sure that it is safe to use the key after/during destruction, probably some write/read locks will help. |
… from SessionTicketExtension to SSLSessionContextImpl
Hi @XueleiFan, I've moved Can you please have a look at the new version? Thanks, |
src/java.base/share/classes/sun/security/ssl/SSLSessionContextImpl.java
Outdated
Show resolved
Hide resolved
src/java.base/share/classes/sun/security/ssl/SSLSessionContextImpl.java
Outdated
Show resolved
Hide resolved
…ion keys as proposed by @schlosna
src/java.base/share/classes/sun/security/ssl/SSLSessionContextImpl.java
Outdated
Show resolved
Hide resolved
src/java.base/share/classes/sun/security/ssl/SSLSessionContextImpl.java
Outdated
Show resolved
Hide resolved
src/java.base/share/classes/sun/security/ssl/SSLSessionContextImpl.java
Outdated
Show resolved
Hide resolved
src/java.base/share/classes/sun/security/ssl/SSLSessionContextImpl.java
Outdated
Show resolved
Hide resolved
src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
Outdated
Show resolved
Hide resolved
src/java.base/share/classes/sun/security/ssl/SSLSessionContextImpl.java
Outdated
Show resolved
Hide resolved
src/java.base/share/classes/sun/security/ssl/SSLSessionContextImpl.java
Outdated
Show resolved
Hide resolved
src/java.base/share/classes/sun/security/ssl/SSLSessionContextImpl.java
Outdated
Show resolved
Hide resolved
src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
Outdated
Show resolved
Hide resolved
src/java.base/share/classes/sun/security/ssl/SSLSessionContextImpl.java
Outdated
Show resolved
Hide resolved
…l and addressed comments by @XueleiFan and @ascarpino
Hi @XueleiFan, @ascarpino, Thank you for your reviews and comments. I think I've addressed all of your suggestions in the latest version of the PR. There's just one more thing I had to change. Now that I've moved all the logic to If you think that it is important that the What do you think? |
src/java.base/share/classes/sun/security/ssl/SessionTicketExtension.java
Outdated
Show resolved
Hide resolved
I understand the logic, but some users like to use a particular provider, keygen should use the random specified in the HandshakeContext. |
src/java.base/share/classes/sun/security/ssl/SSLSessionContextImpl.java
Outdated
Show resolved
Hide resolved
src/java.base/share/classes/sun/security/ssl/SSLSessionContextImpl.java
Outdated
Show resolved
Hide resolved
src/java.base/share/classes/sun/security/ssl/SessionTicketExtension.java
Outdated
Show resolved
Hide resolved
@simonis, I don't think @XueleiFan and I are going to finish reviews by Friday. As Oracle has next week off, I suggest you update the copyrights to 2023 and we can integrate next year one all the comments have been resolved. |
…mprove initialization in SSLSessionContextImpl
From my understanding there hasn't been much left to resolve except using So if you'll find some time to approve the PR this year it'll be great. Otherwise, it will be easy to update the copyright years if that will be last issue :) Thanks for your support and have a nice and peaceful end of year, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me. Thanks!
@simonis This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details. After integration, the commit message for the final commit will be:
You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 362 new commits pushed to the
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details. ➡️ To integrate this PR with the above commit message to the |
Thanks @XueleiFan! I've updated the copyright year to 2023 and will wait one or two more days just in case @ascarpino wants to take one more look as well. |
Hi @simonis, I am sorry for chiming in so late on this issue. I do think it might be worthwhile to make your proof-of-concept code into a jtreg test as you mentioned in your summary. I think it really comes down to how feasible the conversion would be. It's always better to have an automated test if we can, but it depends on if jtreg code can get access to reliable information about the session tickets via the session cache and know that things are behaving as intended. |
I don't think the current reproducer can easily be converted into a cheap and stable jterg test. The current version is quite heavyweight because it calls |
/reviewer credit ascarpino |
/reviewer credit mrserb |
@simonis |
/reviewer credit schlosna |
@simonis Could not parse
|
@simonis Could not parse
|
@simonis Could not parse
|
/reviewer credit @mrserb |
@simonis |
/integrate |
Going to push as commit debe587.
Your commit was automatically rebased without conflicts. |
Currently, TLS session tickets introduced by JDK-8211018 in JDK 13 (i.e.
SessionTicketExtension$StatelessKey
) are generated in the classSessionTicketExtension
and they use a single, global key ID (currentKeyID
) for allSSLContext
s.This is problematic if more than one
SSLContext
is used, because every context which requests a session ticket will increment the global idcurrentKeyID
when it creates a ticket. This means that in turn all the other contexts won't be able to find a ticket under the new id in theirSSLContextImpl
and create a new one (again incrementingcurrentKeyID
). In fact, every time a ticket is requested from a different context, this will transitively trigger a new ticket creation in all the other contexts. We've observed millions of session ticket accumulating for some workloads.Another issue with the curent implementation is that cleanup is racy because the underlying data structure (i.e.
keyHashMap
inSSLContextImpl
) as well as the cleanup code itself are not threadsafe.I therefor propose to move
currentKeyID
into theSSLContextImpl
to solve these issues.The following test program (contributed by Steven Collison (https://raycoll.com/)) can be used to demonstrate the current behaviour. It outputs the number of
StatelessKey
instances at the end of the program. Opening 1000 connections with a singleSSLContext
results in a singleStatelessKey
instance being created:The same example with the 1000 connections being opened alternatively on thwo different contexts will instead create 1000
StatelessKey
instances:With my proposed patch, the numbers goes back to two instances again:
I've attached the test program to the JBS issue. If you think it makes sense, I can probably convert it into a JTreg test.
Progress
Issue
Reviewers
Reviewing
Using
git
Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk pull/11590/head:pull/11590
$ git checkout pull/11590
Update a local copy of the PR:
$ git checkout pull/11590
$ git pull https://git.openjdk.org/jdk pull/11590/head
Using Skara CLI tools
Checkout this PR locally:
$ git pr checkout 11590
View PR using the GUI difftool:
$ git pr show -t 11590
Using diff file
Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/11590.diff