[security-dev 00237]: Re: NullPointerException at sun.security.ssl.OutputRecord.writeBuffer

Andrew Fan Xuelei.Fan at Sun.COM
Thu Jul 10 06:42:16 UTC 2008 

Kanatoko wrote:
> Andrew,
>
> I figured out why sockOutput comes to null.
>
> SSLSocketImpl class is used both from SSLSocket class and
> SSLServerSocket class.
>
> The problem occurs when SSLServerSocket instance uses(creates)
> SSLSocketImpl
> instance only for getting ServerHandshaker instance. The code is below.
>
> -----From share/classes/sun/security/ssl/SSLServerSocketImpl.java
>
>     private void checkEnabledSuites() throws IOException {
>         //
>         // We want to report an error if no cipher suites were actually
>         // enabled, since this is an error users are known to make.  Then
>         // they get vastly confused by having clients report an error!
>         //
>         synchronized (this) {
>             if (checkedEnabled) {
>                 return;
>             }
>             if (useServerMode == false) {
>                 return;
>             }
>
>             SSLSocketImpl tmp = new SSLSocketImpl(sslContext, useServerMode,            <=================== HERE!
>                          enabledCipherSuites, doClientAuth,
>                          enableSessionCreation, enabledProtocols);
>
>             ServerHandshaker handshaker = tmp.getServerHandshaker();             
>
>             for (Iterator t = enabledCipherSuites.iterator(); t.hasNext(); ) {
>                 CipherSuite suite = (CipherSuite)t.next();
>                 if (handshaker.trySetCipherSuite(suite)) {
>                     checkedEnabled = true;
>                     return;
>                 }
>             }
> -----
>
> This SSLSocketImpl instance 'tmp' does not handle any TCP( or SSL ) connections, so sockOutput is always null.
> This method 'checkEnabledSuites()' is called only once for each SSLServerSocket instances, So If you instantiates more SSLServerSockets, more file handle leak occurs.
>
>   
Yes, your analysis is correct. I think maybe need to polish the checking 
of the connection states, so that the SSLSocketImpl.closeInternal() will 
not send any  messages (alter/warning message in the case) to peer 
before a active connection established.

Because of another mail thread proposed by 
Bruno.Harbulot at manchester.ac.uk, we would update the implementation of 
checkEnabledSuites(). This is another factor that we should consider 
during the update.

Thanks,
Andrew
> I think we should patch SSLSocketImpl class. But I don't have a good fix.
>

More information about the security-dev mailing list