JDK-8208538 : Release Note: TLS 1.3 Half-Close Policy
  • Type: Sub-task
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 11
  • Priority: P2
  • Status: Closed
  • Resolution: Delivered
  • Submitted: 2018-07-31
  • Updated: 2019-04-09
  • Resolved: 2018-08-15
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11
A new system property, `jdk.tls.acknowledgeCloseNotify`, has been added. The default value of the system property is `false`. If the system property is set to `true`, a corresponding `close_notify` alert will be sent when receiving a `close_notify` alert, and the connection will be duplex closed.

TLS 1.2 and prior versions use a duplex-close policy, while TLS 1.3 uses a half-close policy. The inbound and the outbound `close_notify` alerts for TLS 1.3 are independent. When upgrading to TLS 1.3, unexpected behavior can occur if your application shuts down the (D)TLS connection by using only one of the `SSLEngine.closeInbound()` or `SSLEngine.closeOutbound()` APIs, but not both in each side of the connection. If your application exhibits unexpected hangs or timeouts when the underlying (D)TLS transportation is not duplex closed, you may need to set this property to `true`. 

Note that when a TLS/DTLS connection is no longer needed, the client and server applications should each close both sides of their respective connection.