JDK-8042982 : Unexpected RuntimeExceptions being thrown by SSLEngine
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 6u71
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2014-05-13
  • Updated: 2016-06-13
  • Resolved: 2014-08-01
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 6 JDK 7 JDK 9
6u105Fixed 7u76Fixed 9 b26Fixed
Description
Based on an internal email discussion, this was pointed out. 

    java.lang.RuntimeException: Could not generate secret[[
            at
com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:973)
            at
com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:485)
            at
com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:753)
            at
com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:721)

I note that DHCrypt/ECDHCrypto have this message.  During the processing of other messages, we check to see if there was an exception thrown and then wrap it, but we don't do that there.  Several examples:

        SecretKey getAgreedSecret(...) {
        ...deleted...
        } catch (GeneralSecurityException e) {
            throw new RuntimeException("Could not generate secret", e);
        } catch (java.io.IOException e) {
            throw new RuntimeException("Could not generate secret", e);
        }

and then in the handshakers:

        case K_DHE_RSA:
        case K_DHE_DSS:
        case K_DH_ANON:
            preMasterSecret = dh.getAgreedSecret(serverDH, true);
            break;
        case K_ECDHE_RSA:
        case K_ECDHE_ECDSA:
        case K_ECDH_ANON:
            preMasterSecret = ecdh.getAgreedSecret(ephemeralServerKey);
            break;

A RTE will propagate all the way out.

In other spots of the code (e.g. server_key_exchange), we do:

     try {
         this.serverKeyExchange(new RSA_ServerKeyExchange(input));
     } catch (GeneralSecurityException e) {
         throwSSLException("Server key", e);
     }
     break;

We should also look to see where else this is done.

Comments
Fix Summary Template - Fix for Release : JDK6 PSU 15_01 - Risk Analysis : Low. Simple fix to exception handling - Testing (done/to-be-done) : Noreg-hard. - JavaFX Impact : No
04-09-2014