Possible bug in SSLEngine / SSLSession implementation
Norman Maurer
norman.maurer at googlemail.com
Wed Dec 12 07:59:53 UTC 2018
Hi all,
While working on some unit tests in netty I noticed that there may be a bug in the JDK implementation of SSLEngine / SSLSession. If its not a but it is at least surprising I would say.
So it seems like before the handshake all values that are set on the SSLSession via putValue are shared across SSLEngine instances. Is this by design or a bug ? I could not find anything I the java docs that would tell me this is by design. It only states: "Until the initial handshake has completed, this method returns a session object which reports an invalid cipher suite of “SSL_NULL_WITH_NULL_NULL”. This does not sound like it will be the same object every time and so it would share the values.
You can find a reproducer which will throw an exception here:
https://github.com/normanmaurer/jdk_ssl_session_reproducer <https://github.com/normanmaurer/jdk_ssl_session_reproducer>
I did reproduce this with the latest java8 and java11 releases but I am almost sure it also exists in other versions.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20181212/0eb8e806/attachment.htm>
More information about the security-dev
mailing list