Code Review Request, JDK-8209333 Socket reset issue for TLS 1.3 socket close
Xue-Lei Fan
xuelei.fan at oracle.com
Mon Dec 17 17:52:31 UTC 2018
ping ...
On 12/10/2018 1:14 PM, Xue-Lei Fan wrote:
> Hi,
>
> Please review the TLS 1.3 half-close issue in JDK.
>
> http://cr.openjdk.java.net/~xuelei/8209333/webrev.00/
>
> While trying to duplex close a TLS connection upon the half-close
> policy, there might be pending receiving data in the closing side, and
> result in a TCP RST during closing. The TCP RST may then cause the peer
> reading failure. For example:
> 1. client and server establish a TLS 1.3 connection.
> 2. server sending the post-handshake NewSessionTicket message.
> 3. client send the application data, and then close the connection.
> 4. as the client does not call to read the post-handshake message, the
> connection close will cause a TCP RST.
> 5. server trying to read the client application data, but the socket may
> be impacted by the TCP RST, and the reading can fail.
>
> It would not be an issue any more if the client could read the
> post-handshake message, explicit or implicit.
>
> I would like applications consider to use half-close policy, and moving
> away from the duplex-close policy.
>
> The basic idea of the fix is trying to use up buffered network input
> before close the socket. As is an implicit behavior to consume the
> post-handshake message, and mitigate the impact of it.
>
> This fix is not a perfect one. It is just a workaround for
> duplex-close. I'm open to hear more ideas.
>
> Thanks,
> Xuelei
More information about the security-dev
mailing list