Possible regression in JDK 14 related to SSLSessionContext / SSLSession on the server side

Jamil Nimeh jamil.j.nimeh at oracle.com
Tue Mar 31 15:35:53 UTC 2020 

Thanks Norman, I'm going to file a bug on this one.  After playing with 
it a bit more I found cases where even SSLServerSockets do run into the 
issue but it doesn't always happen.  Still working on characterizing it.

--Jamil

On 3/31/2020 7:11 AM, Norman Maurer wrote:
> Yes thats about right… if setting to false it works as expected.
>
>
> Bye
> Norman
>
>
>> On 31. Mar 2020, at 01:50, Jamil Nimeh <jamil.j.nimeh at Oracle.Com 
>> <mailto:jamil.j.nimeh at Oracle.Com>> wrote:
>>
>> Hi Norman,
>>
>> I've been able to run your test code and I can reproduce it.  
>> Interestingly enough, it appears to happen when 
>> -Djdk.tls.server.enableSessionTicketExtension=true, which is the 
>> default position.  With session tickets enabled, I would see the 
>> issue in TLS 1.3 and 1.2 connections just as you did.  Setting the 
>> above property to false however allowed me to make successful 
>> connections.  Would you mind setting that property to false, just to 
>> make sure you and I see the same thing?
>>
>> I did go back and run SSLServerSocket-based connections just to see 
>> if the session ticket settings had any impact on things, but they 
>> don't.  I can make connections to a socket based SSL server 
>> regardless of the property value on the server side.
>>
>> Thanks,
>>
>> --Jamil
>>
>> On 3/30/2020 5:31 AM, Norman Maurer wrote:
>>> Hey Sean,
>>>
>>> There is not much to share as its just a simple handshake :)
>>>
>>> Anyway here is a reproducer:
>>>
>>> https://github.com/normanmaurer/jdk_ssl_session_context_reproducer
>>>
>>> It basically does nothing more then complete the handshake and then 
>>> calling engine.getSession().getSessionContext() which will return 
>>> null on the server side since JDK 14 (earlier versions work).
>>> I tested it with TLSv1.2 and TLSv1.3 and both times it produced the 
>>> error on JDK 14.
>>>
>>>
>>> Bye
>>> Norman
>>>
>>>
>>>> On 30. Mar 2020, at 13:22, Seán Coffey <sean.coffey at oracle.com 
>>>> <mailto:sean.coffey at oracle.com>> wrote:
>>>>
>>>> Looks interesting Norman. Do you want to share some more details 
>>>> about the peculiarities of this handshake before considering a 
>>>> fully fledged testcase ?
>>>>
>>>> regards,
>>>> Sean.
>>>>
>>>> On 27/03/2020 12:48, Norman Maurer wrote:
>>>>> Hi there,
>>>>>
>>>>> I am just about to add JDK14 to the test matrix for netty and 
>>>>> think I found a regression. Before I will invest time to write a 
>>>>> standalone reproducer please let me know if you think this is a 
>>>>> regression or not.
>>>>> Basically after the handshake is complete 
>>>>> SSLEngine.getSession().getSessionContext() returns null on the 
>>>>> serverside when using JDK14. Running the same test with any 
>>>>> previous version (JDK13 and earlier) doesn’t show the same result.
>>>>>
>>>>> Does this sounds like a regression and if so should I provide a 
>>>>> standalone reproducer here ?
>>>>>
>>>>> Bye
>>>>> Norman
>>>>>
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20200331/8cdae97c/attachment.htm>

More information about the security-dev mailing list