Re: RFR: 8367059: DTLS: loss of NewSessionTicket message results in handshake failure [v5]

Sat, 18 Oct 2025 09:01:10 -0700 

On Sat, 11 Oct 2025 04:36:05 GMT, Artur Barashev <[email protected]> wrote:

>> If the NewSessionTicket message is lost, the handshake fails on the client 
>> side with:
>> javax.net.ssl.SSLHandshakeException: (decrypt_error) The Finished message 
>> cannot be verified.
>
> Artur Barashev has updated the pull request incrementally with one additional 
> commit since the last revision:
> 
>   The fix and unit test for session resumption case

test/jdk/javax/net/ssl/DTLS/DTLSOverDatagram.java line 138:

> 136:                 isClient ? getClientDTLSContext() : 
> getServerDTLSContext();
> 137:         SSLEngine engine = context.createSSLEngine(HOST,
> 138:                 isClient ? CLIENT_PORT : SERVER_PORT);

Suggestion:

                isClient ? SERVER_PORT : CLIENT_PORT);

Client uses server port, server uses client port.

test/jdk/javax/net/ssl/DTLS/DTLSOverDatagram.java line 541:

> 539:                 new InetSocketAddress(HOST, SERVER_PORT);
> 540:         InetSocketAddress clientSocketAddress =
> 541:                 new InetSocketAddress(HOST, CLIENT_PORT);

Don't fix ports here. There's a nonzero chance that some other process will 
take these ports before you.

Use port zero here. The port numbers used in SSLEngine don't need to match the 
datagram socket, they just need to match between the initial session and the 
resumption.

test/jdk/javax/net/ssl/DTLS/DTLSOverDatagram.java line 630:

> 628:     static int findAvailablePort() {
> 629:         try (var socket = new DatagramSocket(0)) {
> 630:             return socket.getLocalPort();

You can use a hardcoded number here; it doesn't need to correspond to a real 
socket.

test/jdk/javax/net/ssl/DTLS/PacketLossRetransmission.java line 97:

> 95:             // and resuming sessions.
> 96:             SSLEngine clientEngine = 
> testCase.clientContext.createSSLEngine(
> 97:                     HOST, CLIENT_PORT);

Suggestion:

                    HOST, SERVER_PORT);

rationale: see previous comments

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/27677#discussion_r2426335814
PR Review Comment: https://git.openjdk.org/jdk/pull/27677#discussion_r2426342510
PR Review Comment: https://git.openjdk.org/jdk/pull/27677#discussion_r2426353394
PR Review Comment: https://git.openjdk.org/jdk/pull/27677#discussion_r2426345242

Reply via email to