TLSv1.3 HttpsServer endless loop based on client socket i/o shutdown

Daniel Fuchs daniel.fuchs at
Mon Feb 11 09:58:36 UTC 2019

Hi Jay,

It looks like this is JDK-8214418 - which has been fixed
in 12.0.1 b03 and 13-ea b04. The issue was with the
half closed semantics of the SSL engine in TLS 1.3.

best regards,

-- daniel

On 08/02/2019 21:43, Jay Modi wrote:
> Hi,
> I've been doing some testing with Apache HttpClient against the 
> that is included with the JDK and 
> came across some interesting behavior that occurs when using TLSv1.3, 
> but TLSv1.2 works normally. If the client manually calls 
> Socket#shutdownOutput and Socket#shutdownInput before closing the 
> socket, the HttpsServer goes into an endless loop while trying send the 
> close back to the client. Is this expected? I've done my best to create 
> a minimal reproducer without Apache HttpClient[1].
> To me this behavior does not seem right and as I mentioned, I did not 
> have these issues when using TLSv1.2. I'm running on macOS with the 
> following JDK:
> openjdk version "11.0.2" 2019-01-15
> OpenJDK Runtime Environment 18.9 (build 11.0.2+9)
> OpenJDK 64-Bit Server VM 18.9 (build 11.0.2+9, mixed mode)
> Jay
> [1]

More information about the security-dev mailing list