Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8240871

SSLEngine handshake status immediately after the handshake can be NOT_HANDSHAKING rather than FINISHED with TLSv1.3

XMLWordPrintable

    • b26
    • x86_64
    • generic
    • Verified

        This was originally raised as an issue against Apache Tomcat:
        https://bz.apache.org/bugzilla/show_bug.cgi?id=63892

        Reproduction steps with Tomcat (including key stores and Tomcat configuration) are in that report. The summary is:
        - Java 13.0.1+9
        - Tomcat 9 latest release (or latest source)
        - TLSv1.3
        - client authentication required
        - Firefox client in private browsing mode

        Debugging of the TLS handshake in Tomcat (https://github.com/apache/tomcat/blob/master/java/org/apache/tomcat/util/net/SecureNioChannel.java#L169) shows that in private browsing mode the penultimate SSLEngine handshake status is NEED_TASK.
        There is a single task containing 3 entries in the DelegatedAction map.
        The final entry in that Map ends up in T13FinishedConsumer which in turn leads to...
        TransportContext.finishHandshake(). While this method returns HandshakeStatus.FINISHED, the return value is ignored. As soon as that method sets handshakeContext=null, the SSLEngine handshake status is NOT_HANDSHAKING. This breaks Tomcat's TLS handshake code as Tomcat expects the SSLEngine handshake status to be FINISHED.

        When Firefox is used in non-private browsing mode the penultimate SSLEngine handshake status is NEED_WRAP which becomes FINISHED after the write.

              xuelei Xuelei Fan
              markt Mark Thomas
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: