SSLEngine weird behavior in 11+21?

Xuelei Fan at
Thu Jul 12 14:40:39 UTC 2018

On 7/12/2018 7:33 AM, Xuelei Fan wrote:
>> In addition to what reported above, I would like to report also the
>> weird behavior during the close handshake (i.e. when one side decides
>> to close the connection).
>> 1. client.closeOutbound() then goes into NEED_WRAP.
>> 2. Client wraps 24 bytes, result is CLOSED, then goes into 
>> 3. Server unwraps 24 bytes, result is CLOSED, then goes into NEED_WRAP.
>> 4. Server wraps 24 bytes, result is CLOSED, then goes into 
>> 5. Client unwraps 0 bytes (?)
>> I think at step 2 the client should go into NEED_UNWRAP to read (at
>> step 5) the server response to the close_notify.
> In TLS 1.3, half-close policy is used.  The server may not response with 
> the close_notify for client close_notify request.  See the "Closure 
> Alerts" section for more details:
> It is a little bit complicated when moving from the duplex-close to 
> half-close policy.  In order to mitigate the compatibility impact, in 
> JDK implementation, if the local send the close_notify, we choose to 
> close the underlying socket as well if needed.  But, if the peer send 
> the close_notify, the unwrap() should be able to consume the bytes.  It 
> looks like a implementation bug to me.
The issue is tracked in JBS:


More information about the security-dev mailing list