JDK 13 SSLSession.getValue() throws NPE

Simone Bordet sbordet at webtide.com
Thu Sep 5 17:44:30 UTC 2019


Hi,

we have a number of TLS tests failing in Jetty when running on JDK 13,
while they work on JDK 11 and 12.

The simplest way to reproduce this is to open 2 TLS sockets to Jetty,
one after the other.

On the server, the first socket creates a SSLEngine which has a SSLSession.
Jetty calls SSLSession.getValue() to check whether a key (that we may
have put on the session during SNI processing) is there. For the first
socket this works.

The second socket, however, is using resumption. On the server, a new
SSLEngine is created, but its SSLSession has field "boundValues" ==
null so trying to call SSLSession.getValue() throws a NPE.

Is this a regression?

Thanks!

-- 
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.



More information about the security-dev mailing list