[External] : Re: [Internet]Recent SSLSocket close() @apiNote Changes.

Bradford Wetmore bradford.wetmore at oracle.com
Sat Mar 5 00:46:36 UTC 2022


On 3/2/2022 11:46 PM, xueleifan(XueleiFan) wrote:

> I think you are right that this design is actually for TLSv1.3 half-close mode.  For TLS 1.3,  there is no duplex closure design.  The close() implementation in JDK is actually a workaround for compatibility.  Application can use either the half-close mode
>    socket.shutdownOutput();
>    socket.shutdownInput();
> 
> or duplex close mode for compatibilty:
>    socket.close();
> 
> Unfortunately, in practice the half-close and duplex close are mixed with three lines:
>    socket.shutdownOutput();
>    socket.shutdownInput();
>    socket.close();

Yeah, I've seen that in things like Apache HttpClient Core, which has 
subsequently been removed.

How about something like this:

http://cr.openjdk.java.net/~wetmore/8282529/webrev.00/

Thanks,

Brad



> It was not something I expected when I designed the spec for half-close mode.  It should be helpful if having another iteration for the @apiNote.
> 
> Thanks,
> Xuelei
> 
> 
>> On Mar 2, 2022, at 5:14 PM, Bradford Wetmore <bradford.wetmore at oracle.com> wrote:
>>
>>
>> Hi Xuelei,
>>
>> I am working on some close code including the recent PR[1] for:
>>
>>     8282529: Fix API Note in javadoc for javax.net.ssl.SSLSocket
>>
>> and ran into a change I hadn't noticed before.
>>
>> * @apiNote
>> * When the connection is no longer needed, the client and server
>> * applications should each close both sides of their respective connection.
>> * For {@code SSLSocket} objects, for example, an application can call
>> * {@link Socket#shutdownOutput()} for output stream close and call
>> * {@link Socket#shutdownInput()} for input stream close.
>>
>> It used to be that just a single SSLSocket.close() was sufficient to completely shutdown the SSLSocket, and under the hood it closed the output/input in the right order.
>>
>> I believe this code still closes everything as before, but the updated @apiNote encourages the user to do a three-part shutdown instead.
>>
>>    socket.shutdownOutput();
>>    socket.shutdownInput();
>>    socket.close();            // mostly repeats of above.
>>
>> This approach seems unnecessary unless the user is interested in the TLSv1.3 half-close mode.
>>
>> What is the rationale for recommending this way of doing closes in general?  Or does this @apiNote need another iteration?
>>
>> Thanks,
>>
>> Brad
>>
>> [1] https://urldefense.com/v3/__https://github.com/openjdk/jdk/pull/7648__;!!ACWV5N9M2RV99hQ!cHw7i1wGs-eyCPUcrFXtAdFiUZL6aCPUGpGEQ9u56HHSuwew1j6YHapR8sSefEwr7TRXKQ$
>>
> 



More information about the security-dev mailing list