Code Review Request, JDK-8209333 Socket reset issue for TLS 1.3 socket close
Xue-Lei Fan
xuelei.fan at oracle.com
Mon Dec 10 21:14:58 UTC 2018
Hi,
Please review the TLS 1.3 half-close issue in JDK.
http://cr.openjdk.java.net/~xuelei/8209333/webrev.00/
While trying to duplex close a TLS connection upon the half-close
policy, there might be pending receiving data in the closing side, and
result in a TCP RST during closing. The TCP RST may then cause the peer
reading failure. For example:
1. client and server establish a TLS 1.3 connection.
2. server sending the post-handshake NewSessionTicket message.
3. client send the application data, and then close the connection.
4. as the client does not call to read the post-handshake message, the
connection close will cause a TCP RST.
5. server trying to read the client application data, but the socket may
be impacted by the TCP RST, and the reading can fail.
It would not be an issue any more if the client could read the
post-handshake message, explicit or implicit.
I would like applications consider to use half-close policy, and moving
away from the duplex-close policy.
The basic idea of the fix is trying to use up buffered network input
before close the socket. As is an implicit behavior to consume the
post-handshake message, and mitigate the impact of it.
This fix is not a perfect one. It is just a workaround for
duplex-close. I'm open to hear more ideas.
Thanks,
Xuelei
More information about the security-dev
mailing list