Hi,
Debugging a session resumption issue I found that SSLEngine.closeInbound
will always invalidate the TLS session if no close_notify alert has been
received.
This behavior is no longer mandated by the TLS specification (RFC 5246
7.2.1):
close_notify
This message notifies the recipient that the sender will not send
any more messages on this connection. Note that as of TLS 1.1,
failure to properly close a connection no longer requires that a
session not be resumed. This is a change from TLS 1.0 to conform
with widespread implementation practice.
and there are a couple of broken clients around that do not send
close_notify at all (e.g. the Microsoft ones) so the current behavior
will cause failed resumptions/full handshakes for these clients.
Any thoughts on this?
regards
Moritz
