TLSv1.3 HttpsServer endless loop based on client socket i/o shutdown

Daniel Fuchs daniel.fuchs at oracle.com
Mon Feb 11 09:58:36 UTC 2019


Hi Jay,


It looks like this is JDK-8214418 - which has been fixed
in 12.0.1 b03 and 13-ea b04. The issue was with the
half closed semantics of the SSL engine in TLS 1.3.

best regards,

-- daniel

On 08/02/2019 21:43, Jay Modi wrote:
> Hi,
> 
> I've been doing some testing with Apache HttpClient against the 
> com.sun.net.httpserver.HttpsServer that is included with the JDK and 
> came across some interesting behavior that occurs when using TLSv1.3, 
> but TLSv1.2 works normally. If the client manually calls 
> Socket#shutdownOutput and Socket#shutdownInput before closing the 
> socket, the HttpsServer goes into an endless loop while trying send the 
> close back to the client. Is this expected? I've done my best to create 
> a minimal reproducer without Apache HttpClient[1].
> 
> To me this behavior does not seem right and as I mentioned, I did not 
> have these issues when using TLSv1.2. I'm running on macOS with the 
> following JDK:
> openjdk version "11.0.2" 2019-01-15
> OpenJDK Runtime Environment 18.9 (build 11.0.2+9)
> OpenJDK 64-Bit Server VM 18.9 (build 11.0.2+9, mixed mode)
> 
> Jay
> 
> [1] https://gist.github.com/jaymode/3a6562beaa7ea789b287372bd10d4d1d



More information about the security-dev mailing list