SSLEngine.wrap(...) returns NOT_HANDSHAKING even when the alert was not consumed yet in latest JDK12 release (possible regression).

Norman Maurer norman.maurer at googlemail.com
Wed Mar 13 14:17:03 UTC 2019 

I assumed that it should return NEED_UNWRAP if there is something left that needs to be consumed (that’s also what happened in JDK11 and before).

How should we know then that there is an alert to consume ?

Bye
Norman

> Am 13.03.2019 um 15:11 schrieb Xuelei Fan <xuelei.fan at oracle.com>:
> 
> Hi Norman,
> 
> What's the problem in the application?  It is possible that status is NOT_HANDSHAKING even there are bytes left that should be consumed, for example alert or application data.  NOT_HANDSHAKING means that the handshaking is not in progress.
> 
> Thanks,
> Xuelei
> 
>> On 2/28/2019 12:24 AM, Norman Maurer wrote:
>> Hi all,
>> I think I found a possible regression / bug in the latest JDK12 release when trying to upgrade the Netty CI server to test with the latest JDK12 release. The problem is that SSLEngine.wrap(…) returns NOT_HANDSHAKING even when there are bytes left that should be consumed (the alert itself). My understanding is that it should only return “NOT_HANDSHAKING” once we also consumed the alert. Please correct me if I wrong tho.
>> I pushed a reproducer for this here:
>> https://github.com/normanmaurer/jdk12_ssl_engine_unwrap_bug
>> When running this on the latest JDK12 release (and later JDK versions) it will fail with an AssertionError, while everything works as expected when using earlier Java versions.
>> Here is the Java version I used to reproduce:
>> # java -version
>> openjdk version "12" 2019-03-19
>> OpenJDK Runtime Environment (build 12+33)
>> OpenJDK 64-Bit Server VM (build 12+33, mixed mode, sharing)
>> It seems like this was not always the case for Java12 tho, as I can not reproduce it with this version:
>> #java -version
>> openjdk version "12-ea" 2019-03-19
>> OpenJDK Runtime Environment (build 12-ea+27)
>> OpenJDK 64-Bit Server VM (build 12-ea+27, mixed mode, sharing)
>> I don't have all the “in between” releases on my machine atm so I can not tell exactly on which release this “broke” :/
>> Thanks
>> Norman

More information about the security-dev mailing list