SSLSocket weird behavior in JDK 11+27

Simone Bordet sbordet at webtide.com
Thu Aug 23 14:04:38 UTC 2018 

Hi,

SSLSocket is behaving weird in 11+27.
In particular:

* Setup a SSLServerSocket.
* Connect with a normal Socket (rawClient).
* Wrap rawClient into a SSLSocket (sslClient).
* sslClient.startHandshake()

Now a few cases:

A) immediate rawClient.close()
If the server is reading via InputStream.read(), then it reads -1.
But if the server reads via InputStream.read(byte[]), then
SSLProtocolException is thrown.
I believe the second behavior is correct, as the client does not send
the close_notify, so the server should throw?

B) sslClient writes data + rawClient.close()
The server reads correctly the data, then reads -1, both with read()
and read(byte[]).
I believe this is wrong as close_notify is not sent by the client.

Running the example with JDK 10 always produces no exceptions and
always reads -1.

Below you can find a reproducible case.

Thanks!

----

    public static void main(String[] args) throws Exception
    {
        SSLContext sslContext = __sslCtxFactory.getSslContext();
        int port = 8443;
        try (SSLServerSocket sslServer =
(SSLServerSocket)sslContext.getServerSocketFactory().createServerSocket(port))
        {
            Socket rawClient = new Socket("localhost", port);
            SSLSocket sslClient =
(SSLSocket)sslContext.getSocketFactory().createSocket(rawClient,
"localhost", port, false);

            SSLSocket socket = (SSLSocket)sslServer.accept();

            CountDownLatch latch = new CountDownLatch(1);
            new Thread(() ->
            {
                try
                {
                    while (true)
                    {
//                        byte[] buffer = new byte[1024];
//                        int read = socket.getInputStream().read(buffer);
                        int read = socket.getInputStream().read();
                        System.err.println("read = " + read);
                        if (read < 0)
                            break;
                    }
                }
                catch (IOException x)
                {
                    x.printStackTrace();
                }
                finally
                {
                    latch.countDown();
                }
            }).start();

            sslClient.startHandshake();

//            OutputStream output = sslClient.getOutputStream();
//            output.write(0);
//            output.flush();

            // Raw close.
            rawClient.close();

            latch.await(10, TimeUnit.SECONDS);
        }
    }

-- 
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.

More information about the security-dev mailing list