Possible regression in JDK 14 related to SSLSessionContext / SSLSession on the server side
Jamil Nimeh
jamil.j.nimeh at oracle.com
Tue Mar 31 15:35:53 UTC 2020
Thanks Norman, I'm going to file a bug on this one. After playing with
it a bit more I found cases where even SSLServerSockets do run into the
issue but it doesn't always happen. Still working on characterizing it.
--Jamil
On 3/31/2020 7:11 AM, Norman Maurer wrote:
> Yes thats about right… if setting to false it works as expected.
>
>
> Bye
> Norman
>
>
>> On 31. Mar 2020, at 01:50, Jamil Nimeh <jamil.j.nimeh at Oracle.Com
>> <mailto:jamil.j.nimeh at Oracle.Com>> wrote:
>>
>> Hi Norman,
>>
>> I've been able to run your test code and I can reproduce it.
>> Interestingly enough, it appears to happen when
>> -Djdk.tls.server.enableSessionTicketExtension=true, which is the
>> default position. With session tickets enabled, I would see the
>> issue in TLS 1.3 and 1.2 connections just as you did. Setting the
>> above property to false however allowed me to make successful
>> connections. Would you mind setting that property to false, just to
>> make sure you and I see the same thing?
>>
>> I did go back and run SSLServerSocket-based connections just to see
>> if the session ticket settings had any impact on things, but they
>> don't. I can make connections to a socket based SSL server
>> regardless of the property value on the server side.
>>
>> Thanks,
>>
>> --Jamil
>>
>> On 3/30/2020 5:31 AM, Norman Maurer wrote:
>>> Hey Sean,
>>>
>>> There is not much to share as its just a simple handshake :)
>>>
>>> Anyway here is a reproducer:
>>>
>>> https://github.com/normanmaurer/jdk_ssl_session_context_reproducer
>>>
>>> It basically does nothing more then complete the handshake and then
>>> calling engine.getSession().getSessionContext() which will return
>>> null on the server side since JDK 14 (earlier versions work).
>>> I tested it with TLSv1.2 and TLSv1.3 and both times it produced the
>>> error on JDK 14.
>>>
>>>
>>> Bye
>>> Norman
>>>
>>>
>>>> On 30. Mar 2020, at 13:22, Seán Coffey <sean.coffey at oracle.com
>>>> <mailto:sean.coffey at oracle.com>> wrote:
>>>>
>>>> Looks interesting Norman. Do you want to share some more details
>>>> about the peculiarities of this handshake before considering a
>>>> fully fledged testcase ?
>>>>
>>>> regards,
>>>> Sean.
>>>>
>>>> On 27/03/2020 12:48, Norman Maurer wrote:
>>>>> Hi there,
>>>>>
>>>>> I am just about to add JDK14 to the test matrix for netty and
>>>>> think I found a regression. Before I will invest time to write a
>>>>> standalone reproducer please let me know if you think this is a
>>>>> regression or not.
>>>>> Basically after the handshake is complete
>>>>> SSLEngine.getSession().getSessionContext() returns null on the
>>>>> serverside when using JDK14. Running the same test with any
>>>>> previous version (JDK13 and earlier) doesn’t show the same result.
>>>>>
>>>>> Does this sounds like a regression and if so should I provide a
>>>>> standalone reproducer here ?
>>>>>
>>>>> Bye
>>>>> Norman
>>>>>
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20200331/8cdae97c/attachment.htm>
More information about the security-dev
mailing list