[security-dev 00402]: Re: NullPointerException at sun.security.ssl.OutputRecord.writeBuffer

Brad Wetmore Bradford.Wetmore at Sun.COM
Thu Nov 13 15:57:10 PST 2008


I'm trying to get caught up on much back email.  Sorry for the delay. 
Earlier you wrote:

 > This SSLSocketImpl instance 'tmp' does not handle any TCP( or SSL )
 > connections, so sockOutput is always null.
 > This method 'checkEnabledSuites()' is called only once for each
 > SSLServerSocket instances, So If you instantiates more
 > SSLServerSockets, more file handle leak occurs.

I don't know if you got the email update about a possible workaround for 
your problem.  But I thought I'd send this to security-dev in case 
others run into the same problem.

We have the fix ready and are trying to get it into 6u12, due out in 
early 2009, and of course it will go into JDK7.

File descriptors of TCP sockets are not released properly when using
SSLServerSocket class ( especially with many instances ) on Linux systems.

If a server application ( like Jakarta Tomcat ) runs very long time,
this problem will cause a 'too many open files' error and a denial of
the service.

In JSSE, you can layer a SSLSocket over an existing Socket.  That will
avoid SSLServerSocket creating the dummy Socket that is eventually
leaking the file descriptors.

So do something like this:

// Create and initialize a SSLContext, from which you obtain a
// SSLSocketFactory, sslssf

ServerSocket ss = new ServerSocket(port);
Socket s = ss.accept();
sslssf.createSocket(s, s.getInetAddress().getHostName(),
     s.getPort(), false);

Hope this helps.


More information about the security-dev mailing list