<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">So is what I see something that should be fixed in general ?<div class=""><br class=""></div><div class="">Like I said it does not matter if its TLSv1.3 or earlier.</div><div class=""><br class=""></div><div class="">Bye</div><div class="">Norman</div><div class=""><br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On 12. Dec 2018, at 15:42, Norman Maurer <<a href="mailto:norman.maurer@googlemail.com" class="">norman.maurer@googlemail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html; charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi Jamil,<div class=""><br class=""></div><div class="">This was just noticed during a test which uses TLS1.2. <br class=""><div class=""><br class=""><blockquote type="cite" class=""><div class="">On 12. Dec 2018, at 15:35, Jamil Nimeh <<a href="mailto:jamil.j.nimeh@Oracle.Com" class="">jamil.j.nimeh@Oracle.Com</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" class="">
<div text="#000000" bgcolor="#FFFFFF" class="">
Hi Norman, the new handshaker does return a new SSLSession object.
Part of JDK-8212885 fixes the lack of propagation of session values
across session objects, though that fix was largely in the context
of TLS 1.3. There is a backport set for it, but it is not yet
complete as far as I'm aware. Are you doing TLS 1.3 sessions? If
so, are you able to try it with the latest JDK?<br class="">
<br class="">
One of the items we're going to be tacking soon is better TLS
session object management and new session ticket management so we
can avoid these value propagation issues in the future.<br class="">
<br class="">
--Jamil<br class="">
<br class="">
<div class="moz-cite-prefix">On 12/11/2018 11:59 PM, Norman Maurer
wrote:<br class="">
</div>
<blockquote type="cite" cite="mid:F7E8659F-4232-4A5C-A003-CE44F60BF5E7@googlemail.com" class="">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" class="">
Hi all,
<div class=""><br class="">
</div>
<div class="">While working on some unit tests in netty I noticed
that there may be a bug in the JDK implementation of SSLEngine /
SSLSession. If its not a but it is at least surprising I would
say.</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">So it seems like before the handshake all values
that are set on the SSLSession via putValue are shared across
SSLEngine instances. Is this by design or a bug ? I could not
find anything I the java docs that would tell me this is by
design. It only states: "<span style="background-color: rgb(255,
255, 255);" class=""><font class="" face="Arial, Helvetica,
sans-serif" color="#353833"><span style="font-size:
12.15999984741211px;" class="">Until the initial handshake
has completed, this method returns a session object which
reports an invalid cipher suite
of “SSL_NULL_WITH_NULL_NULL”. </span></font></span>This
does not sound like it will be the same object every time and so
it would share the values.</div>
<div class=""><br class="">
</div>
<div class="">You can find a reproducer which will throw an
exception here:</div>
<div class=""><br class="">
</div>
<div class=""><a href="https://github.com/normanmaurer/jdk_ssl_session_reproducer" class="" moz-do-not-send="true">https://github.com/normanmaurer/jdk_ssl_session_reproducer</a></div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">I did reproduce this with the latest java8 and
java11 releases but I am almost sure it also exists in other
versions.</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
</blockquote>
<br class="">
</div>
</div></blockquote></div><br class=""></div></div></div></blockquote></div><br class=""></div></body></html>