-
Sub-task
-
Resolution: Delivered
-
P3
-
8u361, 11.0.18-oracle, 17.0.6-oracle, 19
Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
---|---|---|---|---|---|---|
JDK-8305579 | 17.0.6-oracle | Marc Palmerjohnson | P3 | Resolved | Delivered | |
JDK-8305581 | 11.0.18-oracle | Marc Palmerjohnson | P3 | Resolved | Delivered | |
JDK-8305580 | 8u361 | Marc Palmerjohnson | P3 | Resolved | Delivered |
The SunJSSE close notification checks for `SSLEngine` to have been made less strict to conform to changes in the Transport Layer Security (TLS) RFCs. See also [JDK-8253368](https://bugs.openjdk.org/browse/JDK-8253368).
Specifically, if an application tries to close its `SSLEngine` inbound side using `SSLEngine.closeInbound()` without having received a close notification message from its peer, the `SSLEngine` will no longer:
1. trigger the transmission of a TLS fatal-level alert to the peer, and
2. invalidate the current TLS session.
The new behavior will still consider this condition an error and will throw a local `javax.net.ssl.SSLException`. But a fatal-level alert will no longer be generated to be sent to the peer, and the underlying session will remain valid.
In addition, the internal transport context for the `SSLEngine` will also now be closed. This may result in a different `SSLEngineResult.HandshakeStatus` value on the `SSLEngine`. Any outstanding outbound data must still be obtained (`SSLEngine.wrap()`) and sent in order to gracefully close the connection.
Specifically, if an application tries to close its `SSLEngine` inbound side using `SSLEngine.closeInbound()` without having received a close notification message from its peer, the `SSLEngine` will no longer:
1. trigger the transmission of a TLS fatal-level alert to the peer, and
2. invalidate the current TLS session.
The new behavior will still consider this condition an error and will throw a local `javax.net.ssl.SSLException`. But a fatal-level alert will no longer be generated to be sent to the peer, and the underlying session will remain valid.
In addition, the internal transport context for the `SSLEngine` will also now be closed. This may result in a different `SSLEngineResult.HandshakeStatus` value on the `SSLEngine`. Any outstanding outbound data must still be obtained (`SSLEngine.wrap()`) and sent in order to gracefully close the connection.
- backported by
-
JDK-8305579 Release Note: Change in SSLEngine.closeInbound() Behavior
-
- Resolved
-
-
JDK-8305580 Release Note: Change in SSLEngine.closeInbound() Behavior
-
- Resolved
-
-
JDK-8305581 Release Note: Change in SSLEngine.closeInbound() Behavior
-
- Resolved
-