-
Bug
-
Resolution: Fixed
-
P3
-
None
-
b22
Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
---|---|---|---|---|---|---|
JDK-8296232 | 17.0.6 | Goetz Lindenmaier | P3 | Resolved | Fixed | b02 |
JDK-8304057 | 11.0.20 | Zdenek Zambersky | P3 | Resolved | Fixed | b01 |
JDK-8304167 | openjdk8u382 | Zdenek Zambersky | P3 | Resolved | Fixed | b01 |
As I understand it, usage of user_canceled alert before close is workaround for an issue of not being able to cleanly initialize full (duplex) close of TLS-1.3 connection (other side is not required to immediately close the after receiving close_notify, unlike in earlier TLS versions). Some legacy programs could probably hang or something, expecting socket.close to perform immediate duplex close. Problem is this is not what user_canceled alert is intended for [2] and it is therefore undefined how the other side handles this. (JDK itself replies to close_notify preceded by user_canceled alert by immediately closing its output [3].)
This fix disables this workaround when it is not necessary (connection is already half-closed by the other side). This way it fixes my case (gnutls client connected to jdk server initiates close) and it should be safe. (As removing workaround altogether could probably reintroduce issues for legacy apps... )
I also ran jdk_security tests locally, which passed for me.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1918473
[2] https://datatracker.ietf.org/doc/html/rfc8446#section-6.1
[3]
jdk/src/java.base/share/classes/sun/security/ssl/Alert.java
Line 243 in b6c35ae
if (alert == Alert.CLOSE_NOTIFY) {
- backported by
-
JDK-8296232 SSLSocketImpl should not use user_canceled workaround when not necessary
-
- Resolved
-
-
JDK-8304057 SSLSocketImpl should not use user_canceled workaround when not necessary
-
- Resolved
-
-
JDK-8304167 SSLSocketImpl should not use user_canceled workaround when not necessary
-
- Resolved
-
- relates to
-
JDK-8323517 SSLSocketImpl should not use user_canceled workaround with TLS 1.3
-
- Open
-
- links to
-
Commit openjdk/jdk8u-dev/d6f81510
-
Commit openjdk/jdk11u-dev/e80528bf
-
Commit openjdk/jdk17u-dev/eef3c960
-
Commit openjdk/jdk/7e88ff8a
-
Review openjdk/jdk8u-dev/284
-
Review openjdk/jdk11u-dev/1796
-
Review openjdk/jdk17u-dev/709
-
Review openjdk/jdk/7664