<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Sorry but I just noticed we still have a another integration test failing which tests that client SSL renegotiation is failing. This seems to be not the case anymore with java11 + your patch (it was in ea20 tho).<div class=""><br class=""></div><div class=""><a href="https://github.com/netty/netty/blob/netty-4.1.28.Final/testsuite/src/main/java/io/netty/testsuite/transport/socket/SocketSslClientRenegotiateTest.java" class="">https://github.com/netty/netty/blob/netty-4.1.28.Final/testsuite/src/main/java/io/netty/testsuite/transport/socket/SocketSslClientRenegotiateTest.java</a></div><div class=""><br class=""><div class=""><br class=""></div><div class="">Let me know if I need to dig more into it.</div><div class=""><br class=""></div><div class="">Bye</div><div class="">Norman</div><div class=""><br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On 30. Jul 2018, at 21:54, Norman Maurer <<a href="mailto:norman.maurer@googlemail.com" class="">norman.maurer@googlemail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html; charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hey Xuelei,<div class=""><br class=""></div><div class="">I just re-ran our testsuite with your patch and everything pass except two tests. After digging a bit I found that we needed to add explicit calls to `SSLEngine.setUSeClientMode(false)` now in these test where we did not need to do this before.</div><div class=""><br class=""></div><div class="">The tests in question are:</div><div class=""><br class=""></div><div class=""><a href="https://github.com/netty/netty/blob/netty-4.1.28.Final/handler/src/test/java/io/netty/handler/ssl/SslHandlerTest.java#L400" class="">https://github.com/netty/netty/blob/netty-4.1.28.Final/handler/src/test/java/io/netty/handler/ssl/SslHandlerTest.java#L400</a></div><div class=""><a href="https://github.com/netty/netty/blob/netty-4.1.28.Final/handler/src/test/java/io/netty/handler/ssl/SslHandlerTest.java#L418" class="">https://github.com/netty/netty/blob/netty-4.1.28.Final/handler/src/test/java/io/netty/handler/ssl/SslHandlerTest.java#L418</a></div><div class=""><br class=""></div><div class="">Here we use SslContext.getDefault().createSSLEngine() and did not set the mode explicitly before. With the following patch to netty all works when using your patch:</div><div class=""><br class=""></div><div class=""><div class="">diff --git a/handler/src/test/java/io/netty/handler/ssl/SslHandlerTest.java b/handler/src/test/java/io/netty/handler/ssl/SslHandlerTest.java</div><div class="">index e982b6a63..40d6e7b59 100644</div><div class="">--- a/handler/src/test/java/io/netty/handler/ssl/SslHandlerTest.java</div><div class="">+++ b/handler/src/test/java/io/netty/handler/ssl/SslHandlerTest.java</div><div class="">@@ -398,7 +398,9 @@ public class SslHandlerTest {</div><div class=""> </div><div class="">     @Test</div><div class="">     public void testCloseFutureNotified() throws Exception {</div><div class="">-        SslHandler handler = new SslHandler(SSLContext.getDefault().createSSLEngine());</div><div class="">+        SSLEngine engine = SSLContext.getDefault().createSSLEngine();</div><div class="">+        engine.setUseClientMode(false);</div><div class="">+        SslHandler handler = new SslHandler(engine);</div><div class="">         EmbeddedChannel ch = new EmbeddedChannel(handler);</div><div class=""> </div><div class="">         ch.close();</div><div class="">@@ -417,6 +419,7 @@ public class SslHandlerTest {</div><div class="">     @Test(timeout = 5000)</div><div class="">     public void testEventsFired() throws Exception {</div><div class="">         SSLEngine engine = SSLContext.getDefault().createSSLEngine();</div><div class="">+        engine.setUseClientMode(false);</div><div class="">         final BlockingQueue<SslCompletionEvent> events = new LinkedBlockingQueue<SslCompletionEvent>();</div><div class="">         EmbeddedChannel channel = new EmbeddedChannel(new SslHandler(engine), new ChannelInboundHandlerAdapter() {</div><div class="">             @Override</div></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">The exception we see without the patch is:</div><div class=""><br class=""></div><div class=""><div class="">java.lang.IllegalStateException: Client/Server mode has not yet been set.</div><div class=""><span class="Apple-tab-span" style="white-space:pre">   </span>at java.base/sun.security.ssl.SSLEngineImpl.beginHandshake(SSLEngineImpl.java:98)</div><div class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at io.netty.handler.ssl.SslHandler.handshake(SslHandler.java:1731)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">        </span>at io.netty.handler.ssl.SslHandler.startHandshakeProcessing(SslHandler.java:1644)</div><div class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at io.netty.handler.ssl.SslHandler.handlerAdded(SslHandler.java:1634)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">     </span>at io.netty.channel.DefaultChannelPipeline.callHandlerAdded0(DefaultChannelPipeline.java:637)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">     </span>at io.netty.channel.DefaultChannelPipeline.addLast(DefaultChannelPipeline.java:235)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">       </span>at io.netty.channel.DefaultChannelPipeline.addLast(DefaultChannelPipeline.java:409)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">       </span>at io.netty.channel.DefaultChannelPipeline.addLast(DefaultChannelPipeline.java:396)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">       </span>at io.netty.channel.embedded.EmbeddedChannel$2.initChannel(EmbeddedChannel.java:203)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">      </span>at io.netty.channel.ChannelInitializer.initChannel(ChannelInitializer.java:115)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">   </span>at io.netty.channel.ChannelInitializer.handlerAdded(ChannelInitializer.java:107)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">  </span>at io.netty.channel.DefaultChannelPipeline.callHandlerAdded0(DefaultChannelPipeline.java:637)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">     </span>at io.netty.channel.DefaultChannelPipeline.access$000(DefaultChannelPipeline.java:46)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">     </span>at io.netty.channel.DefaultChannelPipeline$PendingHandlerAddedTask.execute(DefaultChannelPipeline.java:1487)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">      </span>at io.netty.channel.DefaultChannelPipeline.callHandlerAddedForAllHandlers(DefaultChannelPipeline.java:1161)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">       </span>at io.netty.channel.DefaultChannelPipeline.invokeHandlerAddedIfNeeded(DefaultChannelPipeline.java:686)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">    </span>at io.netty.channel.AbstractChannel$AbstractUnsafe.register0(AbstractChannel.java:510)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">    </span>at io.netty.channel.AbstractChannel$AbstractUnsafe.register(AbstractChannel.java:476)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">     </span>at io.netty.channel.embedded.EmbeddedChannel$EmbeddedUnsafe$1.register(EmbeddedChannel.java:773)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">  </span>at io.netty.channel.embedded.EmbeddedEventLoop.register(EmbeddedEventLoop.java:130)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">       </span>at io.netty.channel.embedded.EmbeddedEventLoop.register(EmbeddedEventLoop.java:124)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">       </span>at io.netty.channel.embedded.EmbeddedChannel.setup(EmbeddedChannel.java:208)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">      </span>at io.netty.channel.embedded.EmbeddedChannel.<init>(EmbeddedChannel.java:167)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">       </span>at io.netty.channel.embedded.EmbeddedChannel.<init>(EmbeddedChannel.java:148)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">       </span>at io.netty.channel.embedded.EmbeddedChannel.<init>(EmbeddedChannel.java:135)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">       </span>at io.netty.channel.embedded.EmbeddedChannel.<init>(EmbeddedChannel.java:100)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">       </span>at io.netty.handler.ssl.SslHandlerTest.testCloseFutureNotified(SslHandlerTest.java:404)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">   </span>at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)</div><div class=""><span class="Apple-tab-span" style="white-space:pre"> </span>at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">       </span>at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">       </span>at java.base/java.lang.reflect.Method.invoke(Method.java:566)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">     </span>at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">   </span>at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">    </span>at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">     </span>at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">      </span>at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:325)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">  </span>at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:78)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">      </span>at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:57)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">      </span>at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">    </span>at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">        </span>at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">      </span>at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">        </span>at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">       </span>at org.junit.runners.ParentRunner.run(ParentRunner.java:363)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">      </span>at org.junit.runner.JUnitCore.run(JUnitCore.java:137)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">     </span>at com.intellij.junit4.JUnit4IdeaTestRunner.startRunnerWithArgs(JUnit4IdeaTestRunner.java:68)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">     </span>at com.intellij.rt.execution.junit.IdeaTestRunner$Repeater.startRunnerWithArgs(IdeaTestRunner.java:47)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">    </span>at com.intellij.rt.execution.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:242)</div><div class=""><span class="Apple-tab-span" style="white-space:pre">     </span>at com.intellij.rt.execution.junit.JUnitStarter.main(JUnitStarter.java:70)</div></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">So I have no problem to patch our test-case but I wondered if this may break others in other cases and so is a regression. </div><div class=""><br class=""></div><div class="">Let me know what you think.</div><div class="">Norman</div><div class=""><div class=""><br class=""><blockquote type="cite" class=""><div class="">On 30. Jul 2018, at 20:06, Norman Maurer <<a href="mailto:norman.maurer@googlemail.com" class="">norman.maurer@googlemail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">Will do and report back as soon as possible.<br class=""><br class="">Thanks<br class="">Norman<br class=""><br class=""><br class=""><blockquote type="cite" class="">On 30. Jul 2018, at 19:57, Xuelei Fan <<a href="mailto:xuelei.fan@oracle.com" class="">xuelei.fan@oracle.com</a>> wrote:<br class=""><br class="">Hi Norman,<br class=""><br class="">Would you mind look at the code I posted in the following thread:<br class=""><a href="http://mail.openjdk.java.net/pipermail/security-dev/2018-July/017708.html" class="">http://mail.openjdk.java.net/pipermail/security-dev/2018-July/017708.html</a><br class=""><br class="">I appreciate if you could have a test by the end of this week.<br class=""><br class="">Note that with this update, a complete TLS connection should close both inbound and outbound explicitly.  However, existing applications may not did this way.  If the source code update is not available, please consider to use the "jdk.tls.acknowledgeCloseNotify" as a workaround.<br class=""><br class="">Thanks,<br class="">Xuelei<br class=""><br class="">On 7/25/2018 11:22 PM, Norman Maurer wrote:<br class=""><blockquote type="cite" class="">Just FYI… I tested this patch via the netty ssl tests and we no longer see the class-cast-exception problems I reported before dso I think this solves the issue.<br class="">That said we still encounter a few test-failures for tests that test behaviour of closing outbound of the SSLEngine but I think these are more related to <a href="http://mail.openjdk.java.net/pipermail/security-dev/2018-July/017633.html" class="">http://mail.openjdk.java.net/pipermail/security-dev/2018-July/017633.html</a> and <a href="http://mail.openjdk.java.net/pipermail/security-dev/2018-July/017566.html" class="">http://mail.openjdk.java.net/pipermail/security-dev/2018-July/017566.html</a> .<br class="">Bye<br class="">Norman<br class=""><blockquote type="cite" class="">On 25. Jul 2018, at 20:30, Xuelei Fan <<a href="mailto:xuelei.fan@oracle.com" class="">xuelei.fan@oracle.com</a> <<a href="mailto:xuelei.fan@oracle.com" class="">mailto:xuelei.fan@oracle.com</a>>> wrote:<br class=""><br class="">Hi,<br class=""><br class="">Please review the update for JDK-8208166:<br class=""><a href="http://cr.openjdk.java.net/~xuelei/8208166/webrev.00/" class="">http://cr.openjdk.java.net/~xuelei/8208166/webrev.00/</a> <<a href="http://cr.openjdk.java.net/%7Exuelei/8208166/webrev.00/" class="">http://cr.openjdk.java.net/%7Exuelei/8208166/webrev.00/</a>><br class=""><a href="https://bugs.openjdk.java.net/browse/JDK-8208166" class="">https://bugs.openjdk.java.net/browse/JDK-8208166</a><br class=""><br class="">Thanks,<br class="">Xuelei<br class=""></blockquote></blockquote></blockquote><br class=""></div></div></blockquote></div><br class=""></div></div></div></blockquote></div><br class=""></div></div></body></html>