TLSv1.3 HttpsServer endless loop based on client socket i/o shutdown

Jay Modi jay at elastic.co
Fri Feb 8 20:43:25 UTC 2019


Hi,

I've been doing some testing with Apache HttpClient against the
com.sun.net.httpserver.HttpsServer that is included with the JDK and came
across some interesting behavior that occurs when using TLSv1.3, but
TLSv1.2 works normally. If the client manually calls Socket#shutdownOutput
and Socket#shutdownInput before closing the socket, the HttpsServer goes
into an endless loop while trying send the close back to the client. Is
this expected? I've done my best to create a minimal reproducer without
Apache HttpClient[1].

To me this behavior does not seem right and as I mentioned, I did not have
these issues when using TLSv1.2. I'm running on macOS with the following
JDK:
openjdk version "11.0.2" 2019-01-15
OpenJDK Runtime Environment 18.9 (build 11.0.2+9)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.2+9, mixed mode)

Jay

[1] https://gist.github.com/jaymode/3a6562beaa7ea789b287372bd10d4d1d
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.java.net/pipermail/security-dev/attachments/20190208/6c8cd43e/attachment.html>


More information about the security-dev mailing list