RFR: 8367059: DTLS: loss of NewSessionTicket message results in handshake failure [v5]

Daniel Jeliński djelinski at openjdk.org
Mon Oct 13 13:29:28 UTC 2025 

On Sat, 11 Oct 2025 04:36:05 GMT, Artur Barashev <abarashev at openjdk.org> wrote:

>> If the NewSessionTicket message is lost, the handshake fails on the client side with:
>> javax.net.ssl.SSLHandshakeException: (decrypt_error) The Finished message cannot be verified.
>
> Artur Barashev has updated the pull request incrementally with one additional commit since the last revision:
> 
>   The fix and unit test for session resumption case

test/jdk/javax/net/ssl/DTLS/DTLSOverDatagram.java line 138:

> 136:                 isClient ? getClientDTLSContext() : getServerDTLSContext();
> 137:         SSLEngine engine = context.createSSLEngine(HOST,
> 138:                 isClient ? CLIENT_PORT : SERVER_PORT);

Suggestion:

                isClient ? SERVER_PORT : CLIENT_PORT);

Client uses server port, server uses client port.

test/jdk/javax/net/ssl/DTLS/DTLSOverDatagram.java line 541:

> 539:                 new InetSocketAddress(HOST, SERVER_PORT);
> 540:         InetSocketAddress clientSocketAddress =
> 541:                 new InetSocketAddress(HOST, CLIENT_PORT);

Don't fix ports here. There's a nonzero chance that some other process will take these ports before you.

Use port zero here. The port numbers used in SSLEngine don't need to match the datagram socket, they just need to match between the initial session and the resumption.

test/jdk/javax/net/ssl/DTLS/DTLSOverDatagram.java line 630:

> 628:     static int findAvailablePort() {
> 629:         try (var socket = new DatagramSocket(0)) {
> 630:             return socket.getLocalPort();

You can use a hardcoded number here; it doesn't need to correspond to a real socket.

test/jdk/javax/net/ssl/DTLS/PacketLossRetransmission.java line 97:

> 95:             // and resuming sessions.
> 96:             SSLEngine clientEngine = testCase.clientContext.createSSLEngine(
> 97:                     HOST, CLIENT_PORT);

Suggestion:

                    HOST, SERVER_PORT);

rationale: see previous comments

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/27677#discussion_r2426335814
PR Review Comment: https://git.openjdk.org/jdk/pull/27677#discussion_r2426342510
PR Review Comment: https://git.openjdk.org/jdk/pull/27677#discussion_r2426353394
PR Review Comment: https://git.openjdk.org/jdk/pull/27677#discussion_r2426345242

More information about the security-dev mailing list