TLSv1.3 HttpsServer endless loop based on client socket i/o shutdown
Daniel Fuchs
daniel.fuchs at oracle.com
Mon Feb 11 09:58:36 UTC 2019
Hi Jay,
It looks like this is JDK-8214418 - which has been fixed
in 12.0.1 b03 and 13-ea b04. The issue was with the
half closed semantics of the SSL engine in TLS 1.3.
best regards,
-- daniel
On 08/02/2019 21:43, Jay Modi wrote:
> Hi,
>
> I've been doing some testing with Apache HttpClient against the
> com.sun.net.httpserver.HttpsServer that is included with the JDK and
> came across some interesting behavior that occurs when using TLSv1.3,
> but TLSv1.2 works normally. If the client manually calls
> Socket#shutdownOutput and Socket#shutdownInput before closing the
> socket, the HttpsServer goes into an endless loop while trying send the
> close back to the client. Is this expected? I've done my best to create
> a minimal reproducer without Apache HttpClient[1].
>
> To me this behavior does not seem right and as I mentioned, I did not
> have these issues when using TLSv1.2. I'm running on macOS with the
> following JDK:
> openjdk version "11.0.2" 2019-01-15
> OpenJDK Runtime Environment 18.9 (build 11.0.2+9)
> OpenJDK 64-Bit Server VM 18.9 (build 11.0.2+9, mixed mode)
>
> Jay
>
> [1] https://gist.github.com/jaymode/3a6562beaa7ea789b287372bd10d4d1d
More information about the security-dev
mailing list