OpenJDK11u: Backward incompatible behavior
Xuelei Fan
xuelei.fan at oracle.com
Sat Feb 29 00:24:16 UTC 2020
> Webrev JDK11: http://cr.openjdk.java.net/~bae/8239788/webrev.v3/
> getSession() method is implemented identically to JDK8, so it's
> behaviour is backward compatible to JDK8
I know, but I would like to see if there is really a compatibility
impact if the getSession() is consistent with other IO operations. We
could fix the problem later if there is a need.
> I may try to catch the InterruptedIOException, rather than handle it
> in the IOException catching block or the Exception catching block.
try {
...
} catch (Exception e) {
if (e instanceof ... ) {
...
} else (e instanceof ...) {
...
}
}
vs
try {
} catch (AException e) {
...
} catch (IOException e) {
...
} catch (Exception e) {
...
}
the later is the common coding style
SSLSocketInputRecord:
52 private byte[] inputBuffer = new byte[maxRecordSize];
Would you mind consider an improvement to use less memory?
If you have webrev for JDK 15, I could help to run more testing for you.
Thanks,
Xuelei
On 2/27/2020 9:05 AM, Alexey Bakhtin wrote:
> Hello Xuelei,
>
> You are right, SSLSocketInputRecord.read() method could be interrupted
> before all requested data is received.
>
> I have updated SSLSocketInputRecord class to use single buffer for
> incoming data. Also I’ve updated read() method to take into account
> every chunk of incoming data. It should prevent possible loss of data if
> socket timed out.
>
> Webrev JDK11: http://cr.openjdk.java.net/~bae/8239788/webrev.v3/
>
> Tested with sun/security/ssl and javax/net/ssl jtreg tests
>
> Thank you
> Alexey
>
>> On 27 Feb 2020, at 01:04, Xuelei Fan <xuelei.fan at oracle.com
>> <mailto:xuelei.fan at oracle.com>> wrote:
>>
>> > Webrev for JDK15 : http://cr.openjdk.java.net/~yan/8239788/webrev.2/
>> For the SSLSocketInputRecord.java update, is it possible that the
>> read() implementation interrupted before reading the exact specified
>> bytes of data? The received data may be lost if it is interrupted.
>>
>> BTW, it might not be effective to use three fields to store the data,
>> temporary, header and inputBuffer. Is it possible to use just one
>> buffer (temporary, for example) and one integer to remember the
>> received data length?
>>
>> Thanks,
>> Xuelei
>>
>>
>> On 2/26/2020 4:22 AM, Alexey Bakhtin wrote:
>>> Hello Xuelei,
>>> Thank you for review.
>>> getSession() method is implemented identically to JDK8, so it's
>>> behaviour is backward compatible to JDK8
>>> I have updated review with some modifications:
>>> 1) Enabled sun/security/ssl/SSLSocketImpl/ClientTimeout.java jtreg
>>> test. This test emulates socket timeout during handshake and app data
>>> transfer.
>>> 2) I have added cache for incoming data received from socket
>>> (sun.security.ssl.SSLSocketInputRecord class). Socket timeout could
>>> happen while reading single handshake message by small chunks. It is
>>> implemented similarly to JDK8 and allows to pass
>>> sun/security/ssl/SSLSocketImpl/ClientTimeout test
>>> 3) I have added SocketTimeoutException handling into
>>> sun/security/ssl/SSLSocketImpl/SSLExceptionForIOIssue.java jtreg
>>> test. This test also verifies SocketExceptions during handshake.
>>> Webrev for JDK11 : http://cr.openjdk.java.net/~yan/8239788/webrev.1/
>>> Webrev for JDK15 : http://cr.openjdk.java.net/~yan/8239788/webrev.2/
>>> Tested with sun/security/ssl and javax/net/ssl jtreg tests
>>> Thank you
>>> Alexey
>>>> On 25 Feb 2020, at 19:42, Xuelei Fan <xuelei.fan at oracle.com
>>>> <mailto:xuelei.fan at oracle.com>> wrote:
>>>>
>>>>> JDK11 webrev: http://cr.openjdk.java.net/~yan/8239788/webrev.0/
>>>> Maybe, the getSession() could throw InterruptedIOException as well.
>>>>
>>>> I may try to catch the InterruptedIOException, rather than handle it
>>>> in the IOException catching block.
>>>>
>>>> Thanks,
>>>> Xuelei
>>>>
>>>> On 2/24/2020 11:04 AM, Alexey Bakhtin wrote:
>>>>> Hi Xuelei,
>>>>> Thank you. It would be glad if you can review this fix.
>>>>> The patch almost cleanly applied to JDK15.
>>>>> Also, As Kumar mentioned, the patch does not include regression test.
>>>>> I’m going to add regression test and patch for JDK15 tomorrow.
>>>>> Thank you.
>>>>> Alexey
>>>>>> On 24 Feb 2020, at 21:41, Xuelei Fan <xuelei.fan at oracle.com
>>>>>> <mailto:xuelei.fan at oracle.com>> wrote:
>>>>>>
>>>>>> Hi Alexey,
>>>>>>
>>>>>> Thanks for working on this issue. Do you plan to fix it for JDK
>>>>>> 15, the current JDK reposiroty?
>>>>>>
>>>>>> I need more time for evaluate the fix. For example, I'm not sure
>>>>>> if we could always throw InterruptedIOException to applications,
>>>>>> even for getSession().
>>>>>>
>>>>>> Regards,
>>>>>> Xuelei
>>>>>>
>>>>>> On 2/24/2020 7:58 AM, Alexey Bakhtin wrote:
>>>>>>> Hello,
>>>>>>> I have been working on this issue for some time already.
>>>>>>> The patch below adds java.net.SocketTimeoutException handling
>>>>>>> during TLS handshake negotiation. This functionality seems to
>>>>>>> have been missed during the TLSv1.3 implementation ( JDK-8196584 )
>>>>>>> Tested with JDK11 and higher.
>>>>>>> JDK11 webrev: http://cr.openjdk.java.net/~yan/8239788/webrev.0/
>>>>>>> jbs: https://bugs.openjdk.java.net/browse/JDK-8239798 and
>>>>>>> https://bugs.openjdk.java.net/browse/JDK-8239788
>>>>>>> Thank you,
>>>>>>> Alexey
>>>>>>>> On 22 Feb 2020, at 15:00, security-dev-request at openjdk.java.net
>>>>>>>> <mailto:security-dev-request at openjdk.java.net>
>>>>>>>> <mailto:security-dev-request at openjdk.java.net> wrote:
>>>>>>>>
>>>>>>>> I will look into the issue.
>>>>>>>>
>>>>>>>> BTW, I closed JDK-8239788 as duplicate of JDK-8239798.
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Xuelei
>>>>>>>>
>>>>>>>> On 2/21/2020 9:24 AM, Kumar Srinivasan wrote:
>>>>>>>>> Hi security-folk,
>>>>>>>>>
>>>>>>>>> At VMware while upgrading our application to OpenJDK11u, we have
>>>>>>>>> encountered what seems to be a serious behavior issue.
>>>>>>>>> The issue AFAICT seems to have stemmed from the work for TLS1.3 and
>>>>>>>>> JDK-8196584 <https://bugs.openjdk.java.net/browse/JDK-8196584>.
>>>>>>>>>
>>>>>>>>> Overview:
>>>>>>>>> With OpenJDK11 the end-points are closed immediately with TLS
>>>>>>>>> alerts
>>>>>>>>> raised when an exception is received.
>>>>>>>>> This is not the case with JDK8 the socket is not closed
>>>>>>>>> allowing retries.
>>>>>>>>>
>>>>>>>>> I have filed: JDK-8239798 (with a reproducer), this issue was also
>>>>>>>>> reported ?to Azul and they have filed: JDK-8239788.
>>>>>>>>>
>>>>>>>>> Can you please evaluate this at the earliest, this is a serious
>>>>>>>>> show
>>>>>>>>> stopper for VMware.
>>>>>>>>>
>>>>>>>>> Thank
>>>>>>>>> Kumar Srinivasan
>>>>>>>>> VMware
>>>>>>>>
>
More information about the security-dev
mailing list