<div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">This is, AFAICT, expected based on the differences between the socket layers of the various operating systems involved and their handling of closed sockets. If you write a similar test program in C using OS specific APIs, I believe you will see similar results. I don't think this is a problem with the JDK, nor is it likely to be something that can be fixed in the JDK (since the error reported by the OS is, as far as I know, unlikely to be universally sufficient to extrapolate the exact cause of failure).</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Jan 2, 2020 at 9:14 AM Sean Mullan <<a href="mailto:sean.mullan@oracle.com">sean.mullan@oracle.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Cross-posting to security-dev as SSL is involved.<br>
<br>
--Sean<br>
<br>
On 12/29/19 4:01 PM, Dawid Weiss wrote:<br>
> Hello,<br>
> <br>
> I am a committer to the Apache Lucene project. We have been looking<br>
> into a problem in which SSL connections were handled differently in<br>
> tests on different operating systems and narrowed it down to<br>
> essentially the following scenario (full repro code at [1]):<br>
> <br>
> Server side:<br>
> <br>
> try (ServerSocketChannel serverChannel = ServerSocketChannel.open()) {<br>
> SocketChannel clientChannel = serverChannel.accept();<br>
> clientChannel.close();<br>
> }<br>
> <br>
> Client side:<br>
> <br>
> Socket socket = new Socket();<br>
> socket.connect(target);<br>
> // ... server closes the socket here.<br>
> // Queue some data for writing to the closed socket. This succeeds.<br>
> socket.getOutputStream().write("will succeed?!".getBytes("UTF-8"));<br>
> // Try to read something from the closed socket.<br>
> socket.getInputStream().read(new byte[100]);<br>
> <br>
> The last line of the client results in different behavior between<br>
> operating systems.<br>
> <br>
> 1) Linux, JDK 11, 13, 14: succeeds with -1 (EOF).<br>
> 2) Windows, JDK 11: SocketException ("recv failed") is thrown<br>
> 3) Windows, JDK 13, 14: SocketException (localized message) is thrown<br>
> 4) FreeBSD: SocketException (connection reset) is thrown<br>
> 5) Mac OS X: SocketException (connection reset) is thrown<br>
> <br>
> I admit my original thinking on the Lucene issue (see full discussion<br>
> at [2]) was that it was Windows that was off here (due to<br>
> WSAECONNRESET not being handled at all in SocketInputStream.c [3].<br>
> Since then (JDK11) the underlying socket implementation has changed<br>
> due to JEP 353 [4] (which Alan Bateman kindly pointed out to me).<br>
> <br>
> But the difference in runtime behavior between Linux and other<br>
> operating systems still exists on both the old and the new<br>
> implementation. I don't know whether it's something that should be<br>
> qualified as platform-specific but it causes additional problems when<br>
> it triggers somewhere deep inside the SSL handling layer -- then the<br>
> application-level code receives a different exception depending on<br>
> where it's run (an SSLException with a suppressed SocketException or a<br>
> SocketException directly).<br>
> <br>
> I don't have any ideas about what a "good" fix for this is but I'm<br>
> curious what others think.<br>
> <br>
> Dawid<br>
> <br>
> [1] <a href="https://issues.apache.org/jira/secure/attachment/12989538/RecvRepro.java" rel="noreferrer" target="_blank">https://issues.apache.org/jira/secure/attachment/12989538/RecvRepro.java</a><br>
> [2] <a href="https://issues.apache.org/jira/browse/SOLR-13778" rel="noreferrer" target="_blank">https://issues.apache.org/jira/browse/SOLR-13778</a><br>
> [3] <a href="https://github.com/openjdk/jdk14/blob/f58a8cbed2ba984ceeb9a1ea59f917e3f9530f1e/src/java.base/windows/native/libnet/SocketInputStream.c#L120-L154" rel="noreferrer" target="_blank">https://github.com/openjdk/jdk14/blob/f58a8cbed2ba984ceeb9a1ea59f917e3f9530f1e/src/java.base/windows/native/libnet/SocketInputStream.c#L120-L154</a><br>
> [4] <a href="https://openjdk.java.net/jeps/353" rel="noreferrer" target="_blank">https://openjdk.java.net/jeps/353</a><br>
> <br>
<br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature">- DML</div>