SSLEngine.wrap(...) returns NOT_HANDSHAKING even when the alert was not consumed yet in latest JDK12 release (possible regression).

Norman Maurer norman.maurer at
Thu Feb 28 08:24:49 UTC 2019

Hi all,

I think I found a possible regression / bug in the latest JDK12 release when trying to upgrade the Netty CI server to test with the latest JDK12 release. The problem is that SSLEngine.wrap(…) returns NOT_HANDSHAKING even when there are bytes left that should be consumed (the alert itself). My understanding is that it should only return “NOT_HANDSHAKING” once we also consumed the alert. Please correct me if I wrong tho.

I pushed a reproducer for this here: <>

When running this on the latest JDK12 release (and later JDK versions) it will fail with an AssertionError, while everything works as expected when using earlier Java versions.

Here is the Java version I used to reproduce:

# java -version
openjdk version "12" 2019-03-19
OpenJDK Runtime Environment (build 12+33)
OpenJDK 64-Bit Server VM (build 12+33, mixed mode, sharing)

It seems like this was not always the case for Java12 tho, as I can not reproduce it with this version:

#java -version
openjdk version "12-ea" 2019-03-19
OpenJDK Runtime Environment (build 12-ea+27)
OpenJDK 64-Bit Server VM (build 12-ea+27, mixed mode, sharing)

I don't have all the “in between” releases on my machine atm so I can not tell exactly on which release this “broke” :/


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the security-dev mailing list