-
Bug
-
Resolution: Fixed
-
P3
-
11.0.2, 11.0.5-oracle, 13.0.1, 14
-
b13
-
x86_64
-
generic
-
Fix failed
This was originally raised as an issue against Apache Tomcat:
https://bz.apache.org/bugzilla/show_bug.cgi?id=63892
Reproduction steps with Tomcat (including key stores and Tomcat configuration) are in that report. The summary is:
- Java 13.0.1+9
- Tomcat 9 latest release (or latest source)
- TLSv1.3
- client authentication required
- Firefox client in private browsing mode
Debugging of the TLS handshake in Tomcat (https://github.com/apache/tomcat/blob/master/java/org/apache/tomcat/util/net/SecureNioChannel.java#L169) shows that in private browsing mode the penultimate SSLEngine handshake status is NEED_TASK.
There is a single task containing 3 entries in the DelegatedAction map.
The final entry in that Map ends up in T13FinishedConsumer which in turn leads to...
TransportContext.finishHandshake(). While this method returns HandshakeStatus.FINISHED, the return value is ignored. As soon as that method sets handshakeContext=null, the SSLEngine handshake status is NOT_HANDSHAKING. This breaks Tomcat's TLS handshake code as Tomcat expects the SSLEngine handshake status to be FINISHED.
When Firefox is used in non-private browsing mode the penultimate SSLEngine handshake status is NEED_WRAP which becomes FINISHED after the write.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63892
Reproduction steps with Tomcat (including key stores and Tomcat configuration) are in that report. The summary is:
- Java 13.0.1+9
- Tomcat 9 latest release (or latest source)
- TLSv1.3
- client authentication required
- Firefox client in private browsing mode
Debugging of the TLS handshake in Tomcat (https://github.com/apache/tomcat/blob/master/java/org/apache/tomcat/util/net/SecureNioChannel.java#L169) shows that in private browsing mode the penultimate SSLEngine handshake status is NEED_TASK.
There is a single task containing 3 entries in the DelegatedAction map.
The final entry in that Map ends up in T13FinishedConsumer which in turn leads to...
TransportContext.finishHandshake(). While this method returns HandshakeStatus.FINISHED, the return value is ignored. As soon as that method sets handshakeContext=null, the SSLEngine handshake status is NOT_HANDSHAKING. This breaks Tomcat's TLS handshake code as Tomcat expects the SSLEngine handshake status to be FINISHED.
When Firefox is used in non-private browsing mode the penultimate SSLEngine handshake status is NEED_WRAP which becomes FINISHED after the write.
- is cloned by
-
-
- Closed
-