SSLSocketImpl improperly wraps SocketException in SSLProtocolException

Oleg Golberg ogolberg at
Wed Nov 21 18:31:40 UTC 2018


I'd like to report a potential SSLSocketImpl bug in OpenJDK-11.

It appears that the TLS1.3-related work in OpenJDK-11 changed
SSLSocketImpl.handleException to wrap underlying SocketExceptions in

Specifically, before TLS1.3 changes, handleException simply rethrows
IOExceptions (here:
After TLS1.3 changes, handleException pipes a SocketException into
.fatal(..) and then into Alert.UNEXPECTED_MESSAGE.createSslException which
ultimately wraps the cause in an SSLProtocolException.

First, this contradicts the SSLProtocolException javadoc which says that an
SSLProtocolException "Reports an error in the operation of the SSL
protocol. Normally this indicates a flaw in one of the protocol

Additionally, there's existing, widely used code that relies on
SocketExceptions being rethrown here. A good example is Apache HttpClient
whose default retry logic excludes all SSLExceptions from being retried


- Oleg

More information about the jdk-dev mailing list