Yes I should be able to take a look this week.
> On Jul 30, 2018, at 12:13 PM, Xuelei Fan <xuelei....@oracle.com> wrote:
>
> Hi Tim,
>
> Would you mind look at the code I posted in the following thread:
> http://mail.openjdk.java.net/pipermail/security-dev/2018-July/017708.html
>
> In the update, we are trying make the synchronization more simple and robust.
> I appreciate if you could comment by the end of this week.
>
> Note that with this update, a complete TLS connection should close both
> inbound and outbound explicitly. However, existing applications may not did
> this way because TLS 1.2 and prior version can work around it. But for TLS
> 1.3, it is possible to hang the application if the connection is not closed.
> If the source code update is not available, please consider to use the
> "jdk.tls.acknowledgeCloseNotify" System Property as a workaround.
>
> Thanks,
> Xuelei
>
> On 7/18/2018 11:51 AM, Tim Brooks wrote:
>> Yes. I can test once there is a patch. My inquiry was motivated by some work
>> on Elasticsearch fyi. I can test a patch against that work.
>> https://github.com/elastic/elasticsearch/issues/32144
>> - Tim
>>> On Jul 17, 2018, at 8:40 PM, Xuelei Fan <xuelei....@oracle.com
>>> <mailto:xuelei....@oracle.com>> wrote:
>>>
>>> Hi,
>>>
>>> We are working on the JDK 11 close issue.
>>> https://bugs.openjdk.java.net/browse/JDK-8207009
>>>
>>> I appreciate if you can help test if we have a patch.
>>>
>>> Thanks,
>>> Xuelei
>>>
>>> On 7/17/2018 4:26 PM, Tim Brooks wrote:
>>>> My understanding is that when you are interested in closing the underlying
>>>> socket when using the SSLEngine, you must call closeOutbound() and WRAP
>>>> and UNWRAP until both isInboundDone() and isOutboundDone() return true.
>>>> One edge case of this is if you are interested in closing the socket prior
>>>> to the completion of a handshake. In JDK 10.0.1 (and I believe prior JDKs)
>>>> this was the behavior for one way in which this arises:
>>>> 1. Initiate handshake
>>>> 2. UNWRAP data from client
>>>> 3. WRAP data to send to client. Handshake status is "NEED_UNWRAP"
>>>> 4. Call closeOutbound() (perhaps the server is shutting down and you want
>>>> to close the connection).
>>>> 5. Handshake status now returns "NEED_WRAP"
>>>> JDK10:
>>>> isInboundDone() - returns false
>>>> isOutboundDone() - returns false
>>>> A call to wrap() produces 7 bytes and status = CLOSED. Handshake status is
>>>> now NEED_UNWRAP.
>>>> isInboundDone() - returns false
>>>> isOutboundDone() - returns true
>>>> JDK11:
>>>> isInboundDone() - returns true
>>>> isOutboundDone() - returns false
>>>> A call to wrap() throws the following exception:
>>>> javax.net.ssl.SSLException: Cannot kickstart, the connection is broken or
>>>> closed
>>>> at
>>>> java.base/sun.security.ssl.TransportContext.kickstart(TransportContext.java:205)
>>>> at
>>>> java.base/sun.security.ssl.SSLEngineImpl.writeRecord(SSLEngineImpl.java:167)
>>>> at java.base/sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:138)
>>>> at java.base/sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:116)
>>>> at java.base/javax.net.ssl.SSLEngine.wrap(SSLEngine.java:471)
>>>> I’m not sure what the procedure for closing a connection prior to
>>>> handshake completion is for TLS. But obviously this is a scenario that can
>>>> arise. It seems wrong to me that the state transitions for the SSLEngine
>>>> do not handle this. The fact that “isOutboundDone()” returns false, but I
>>>> cannot WRAP seems to be an issue.
