<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Yes, I think so. I'm not sure if we're going to make a separate
issue for this specifically or handle it as part of a larger session
management improvement we're working on.<br>
<br>
--Jamil<br>
<br>
<div class="moz-cite-prefix">On 12/17/2018 11:13 AM, Norman Maurer
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:74038A5B-8170-4746-ABFF-3F55637458EA@googlemail.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
So is what I see something that should be fixed in general ?
<div class=""><br class="">
</div>
<div class="">Like I said it does not matter if its TLSv1.3 or
earlier.</div>
<div class=""><br class="">
</div>
<div class="">Bye</div>
<div class="">Norman</div>
<div class=""><br class="">
<div><br class="">
<blockquote type="cite" class="">
<div class="">On 12. Dec 2018, at 15:42, Norman Maurer <<a
href="mailto:norman.maurer@googlemail.com" class=""
moz-do-not-send="true">norman.maurer@googlemail.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8" class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode:
space; line-break: after-white-space;" class="">Hi
Jamil,
<div class=""><br class="">
</div>
<div class="">This was just noticed during a test which
uses TLS1.2. <br class="">
<div class=""><br class="">
<blockquote type="cite" class="">
<div class="">On 12. Dec 2018, at 15:35, Jamil
Nimeh <<a
href="mailto:jamil.j.nimeh@Oracle.Com"
class="" moz-do-not-send="true">jamil.j.nimeh@Oracle.Com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<meta http-equiv="Content-Type"
content="text/html; charset=UTF-8" class="">
<div text="#000000" bgcolor="#FFFFFF" class="">
Hi Norman, the new handshaker does return a
new SSLSession object. Part of JDK-8212885
fixes the lack of propagation of session
values across session objects, though that fix
was largely in the context of TLS 1.3. There
is a backport set for it, but it is not yet
complete as far as I'm aware. Are you doing
TLS 1.3 sessions? If so, are you able to try
it with the latest JDK?<br class="">
<br class="">
One of the items we're going to be tacking
soon is better TLS session object management
and new session ticket management so we can
avoid these value propagation issues in the
future.<br class="">
<br class="">
--Jamil<br class="">
<br class="">
<div class="moz-cite-prefix">On 12/11/2018
11:59 PM, Norman Maurer wrote:<br class="">
</div>
<blockquote type="cite"
cite="mid:F7E8659F-4232-4A5C-A003-CE44F60BF5E7@googlemail.com"
class="">
<meta http-equiv="Content-Type"
content="text/html; charset=UTF-8"
class="">
Hi all,
<div class=""><br class="">
</div>
<div class="">While working on some unit
tests in netty I noticed that there may be
a bug in the JDK implementation of
SSLEngine / SSLSession. If its not a but
it is at least surprising I would say.</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">So it seems like before the
handshake all values that are set on the
SSLSession via putValue are shared across
SSLEngine instances. Is this by design or
a bug ? I could not find anything I the
java docs that would tell me this is by
design. It only states: "<span
style="background-color: rgb(255, 255,
255);" class=""><font class=""
face="Arial, Helvetica, sans-serif"
color="#353833"><span
style="font-size:
12.15999984741211px;" class="">Until
the initial handshake has completed,
this method returns a session object
which reports an invalid cipher
suite of “SSL_NULL_WITH_NULL_NULL”. </span></font></span>This
does not sound like it will be the same
object every time and so it would share
the values.</div>
<div class=""><br class="">
</div>
<div class="">You can find a reproducer
which will throw an exception here:</div>
<div class=""><br class="">
</div>
<div class=""><a
href="https://github.com/normanmaurer/jdk_ssl_session_reproducer"
class="" moz-do-not-send="true">https://github.com/normanmaurer/jdk_ssl_session_reproducer</a></div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">I did reproduce this with the
latest java8 and java11 releases but I am
almost sure it also exists in other
versions.</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
</blockquote>
<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</blockquote>
<br>
</body>
</html>