RFR: 8237578: JDK-8214339 (SSLSocketImpl wraps SocketException) appears to not be fully fixed [v4]

Xue-Lei Andrew Fan xuelei at openjdk.java.net
Sat Jan 9 05:29:57 UTC 2021 

On Sat, 9 Jan 2021 04:56:14 GMT, Clive Verghese <cverghese at openjdk.org> wrote:

>> This PR aims to revert some more cases where SocketExceptions are improperly being wrapped as SSLException. Some work for this was done in [JDK-8235263](https://bugs.openjdk.java.net/browse/JDK-8235263), but that change did not cover all the cases.
>> 
>> As it was mentioned in JDK-8235263, some applications rely on receiving SocketException to decide if the connection should be retried. An example of this would be Apache HTTP client. This PR should ideally fix https://issues.apache.org/jira/browse/HTTPCLIENT-2032
>
> Clive Verghese has refreshed the contents of this pull request, and previous commits have been removed. The incremental views will show differences compared to the previous content of the PR.

src/java.base/share/classes/sun/security/ssl/SSLSocketImpl.java line 1703:

> 1701:         }
> 1702: 
> 1703:         throw conContext.fatal(alert, cause);

It might be not necessary to change the TransportContext by adding a new teardownTransport() method. It would be good to keep the fatal() behavior as if a fatal alter will be sent.  Maybe, the exception thrown by fatal() could be replaced with the socket exception, like:

if (cause instanceof SocketException) {
     try {
        conContext.fatal(alert, cause);
     } catch (Exception) {
        // Just delivering the fatal alert, re-throw the socket exception instead.
     } finally {
        throw (SocketException)cause;
     }
} else {
      throw conContext.fatal(alert, cause);
}

test/jdk/sun/security/ssl/SSLSocketImpl/SSLSocketShouldThrowSocketException.java line 59:

> 57:     static String keyStoreFile = "keystore";
> 58:     static String trustStoreFile = "truststore";
> 59:     static String passwd = "passphrase";

In JSSE testing, we are trying to avoid the dependency on the binary key store files for a while.  Would you like to check out the new template, test/jdk/javax/net/ssl/templates/SSLSocketTemplate.java?  You could refer to test/jdk/sun/security/ssl/ServerHandshaker/AnonCipherWithWantClientAuth.java, or search for "extends SSLSocketTemplate" about how to use the new template.

-------------

PR: https://git.openjdk.java.net/jdk/pull/1968

More information about the security-dev mailing list