Hi all, While working on some unit tests in netty I noticed that there may be a bug in the JDK implementation of SSLEngine / SSLSession. If its not a but it is at least surprising I would say.
So it seems like before the handshake all values that are set on the SSLSession via putValue are shared across SSLEngine instances. Is this by design or a bug ? I could not find anything I the java docs that would tell me this is by design. It only states: "Until the initial handshake has completed, this method returns a session object which reports an invalid cipher suite of “SSL_NULL_WITH_NULL_NULL”. This does not sound like it will be the same object every time and so it would share the values. You can find a reproducer which will throw an exception here: https://github.com/normanmaurer/jdk_ssl_session_reproducer <https://github.com/normanmaurer/jdk_ssl_session_reproducer> I did reproduce this with the latest java8 and java11 releases but I am almost sure it also exists in other versions.
