JDK-8239798 : SSLSocket closes socket both socket endpoints on a SocketTimeoutException
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 8,11,14,15
  • Priority: P2
  • Status: Closed
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2020-02-21
  • Updated: 2021-04-07
  • Resolved: 2020-03-11
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 13 JDK 14 JDK 15 JDK 8 Other
11.0.8-oracleFixed 13.0.4Fixed 14.0.2Fixed 15 b14Fixed 8u261Fixed openjdk8uUnresolved
Related Reports
Duplicate :  
Relates :  
Description
SSLSocket is behaving very different since JDK11, this seems to be due to the introduction of TLS1.3, JEP332 and JDK-8196584.

The problem seems to be SSLSocket in JDK11 when it receives a SocketTImeoutException will close both the endpoints and the socket, thereby disallowing retries by the peer.

However, in JDK8 we have noticed that in such cases, the end-point is not closed, and allows further retries from the client.

This seems to be an incompatible behavior change and is seriously blocking our development efforts.

Reproducer attached

Debug traces are below.

Comments
This seems still on review. Please get this resolved first: https://mail.openjdk.java.net/pipermail/jdk8u-dev/2021-March/013607.html
07-04-2021

Webrev with copyright header updates: https://cr.openjdk.java.net/~phh/8239798/webrev.8u.jdk.01/
25-03-2021

8u backport needs a missing copyright header added. I'll add jdk8u-fix-yes once that's done.
24-03-2021

Fix Request [8u] The backport is mostly clean, except for some changes in SSLSocketInputRecord.java to account for DTLS removal in 8u JDK-8245469. Review thread: https://mail.openjdk.java.net/pipermail/jdk8u-dev/2021-February/013433.html
17-03-2021

Fix request (13u) Requesting backport to 13u for parity with 11u, applies cleanly.
01-06-2020

Fix request (11u) -- will label after testing completed. I would like to downport this for parity with 11.0.8-oracle. Applies clean.
27-03-2020

URL: https://hg.openjdk.java.net/jdk/jdk/rev/eb934f0048de User: bae Date: 2020-03-11 16:21:33 +0000
11-03-2020

OpenJDK thread: https://mail.openjdk.java.net/pipermail/security-dev/2020-February/021314.html
21-02-2020

5. Run JDK8 with network tracing % ../jdk1.8.0_231/bin/java -Djavax.net.debug=all SimpleClient System property jdk.tls.client.cipherSuites is set to 'null' System property jdk.tls.server.cipherSuites is set to 'null' Ignoring disabled cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA ...... 8< REDACTED FOR CLARITY >8 ...... ##NOTE: we are reading the data here.... main, READ: TLSv1.2 Application Data, length = 64 Padded plaintext after DECRYPTION:�� len = 64 0000: 24 BD C6 BC 75 03 83 BB �� 4E E1 7B BC 83 8B 52 72�� $...u...N.....Rr 0010: 48 65 6C 6C 6F 20 57 6F �� 72 6C 64 21 0A 83 52 0B�� Hello World!..R. 0020: BA 06 4D C6 8E 1E A6 A4 �� 10 A1 31 47 20 7E B0 B5�� ..M.......1G ... 0030: 7E C9 E8 0E 2A AC DF 59 �� B7 BA 5A 6A 1B 02 02 02�� ....*..Y..Zj.... ##NOTE: the socket is being closed main, called close() main, called closeInternal(true) main, SEND TLSv1.2 ALERT:�� warning, description = close_notify Padded plaintext before ENCRYPTION:�� len = 64 0000: D6 A5 CB 38 93 DF A6 22 �� 63 50 4A A2 BD 60 5A EB�� ...8..."cPJ..`Z. 0010: 01 00 64 33 4C A8 DD 9A �� 3B A5 74 3A 36 AE 8B CB�� ..d3L...;.t:6... 0020: 2C D6 89 98 E9 1C 7B E5 �� AC D9 BF B5 1E 6D C5 5C�� ,............m.\ 0030: FC 45 0D 0D 0D 0D 0D 0D �� 0D 0D 0D 0D 0D 0D 0D 0D�� .E.............. main, WRITE: TLSv1.2 Alert, length = 64 [Raw write]: length = 69 0000: 15 03 03 00 40 5D CD DF �� F7 F0 E2 9C 64 E9 8F 9D�� ....@]......d... 0010: 8C 36 0B AC 1E 8A 57 B1 �� 80 BC 35 EF CA 33 39 31�� .6....W...5..391 0020: C6 D1 A0 42 F4 FF 16 F1 �� 23 44 F0 F6 DC 71 CF 5B�� ...B....#D...q.[ 0030: 20 37 7C 2C 39 5E 3C 65 �� 35 2C 5F 29 82 AD EE AF �� 7.,9^<e5,_).... 0040: 7A 92 FD C6 AA �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� z.... main, called closeSocket(true) Connection isClosed: true main, called close() main, called closeInternal(true) Hello World! 6. Run JDK11 with network tracing % ../jdk-11.0.3/bin/java -Djavax.net.debug=all SimpleClient javax.net.ssl|DEBUG|01|main|2020-02-14 10:31:45.064 PST|SSLContextImpl.java:428|System property jdk.tls.client.cipherSuites is set to 'null' javax.net.ssl|DEBUG|01|main|2020-02-14 10:31:45.083 PST|SSLContextImpl.java:428|System property jdk.tls.server.cipherSuites is set to 'null' ...... 8< REDACTED FOR CLARITY >8 ...... ##NOTE: handshake is complete javax.net.ssl|DEBUG|01|main|2020-02-14 10:31:45.326 PST|SSLSocketOutputRecord.java:241|WRITE: TLS12 handshake, length = 189 javax.net.ssl|DEBUG|01|main|2020-02-14 10:31:45.330 PST|SSLSocketOutputRecord.java:255|Raw write ( �� 0000: 16 03 03 00 BD 01 00 00 �� B9 03 03 57 D4 61 9F 58�� ...........W.a.X �� 0010: 02 AD A8 02 DF A9 E2 6C �� B4 19 12 B2 05 36 FC EB�� .......l.....6.. �� 0020: D9 C9 5C F8 BA 1C 74 10 �� B4 B9 08 00 00 02 00 6A�� ..\...t........j �� 0030: 01 00 00 8E 00 05 00 05 �� 01 00 00 00 00 00 0A 00�� ................ �� 0040: 0C 00 0A 01 00 01 01 01 �� 02 01 03 01 04 00 0D 00�� ................ �� 0050: 28 00 26 04 03 05 03 06 �� 03 08 04 08 05 08 06 08�� (.&............. �� 0060: 09 08 0A 08 0B 04 01 05 �� 01 06 01 04 02 03 03 03�� ................ �� 0070: 01 03 02 02 03 02 01 02 �� 02 00 32 00 28 00 26 04�� ..........2.(.&. �� 0080: 03 05 03 06 03 08 04 08 �� 05 08 06 08 09 08 0A 08�� ................ �� 0090: 0B 04 01 05 01 06 01 04 �� 02 03 03 03 01 03 02 02�� ................ �� 00A0: 03 02 01 02 02 00 11 00 �� 09 00 07 02 00 04 00 00�� ................ �� 00B0: 00 00 00 17 00 00 00 2B �� 00 03 02 03 03 FF 01 00�� .......+........ �� 00C0: 01 00�� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� .. ) ##NOTE: SocketTimeoutException is received the and SSLSocket immediately sends Fatal Alert to the ## server and closes the connection and the local socket, preventing further retries. javax.net.ssl|ERROR|01|main|2020-02-14 10:31:45.335 PST|TransportContext.java:312|Fatal (UNEXPECTED_MESSAGE): Read timed out ( "throwable" : { �� java.net.SocketTimeoutException: Read timed out �� at java.base/java.net.SocketInputStream.socketRead0(Native Method) �� at java.base/java.net.SocketInputStream.socketRead(SocketInputStream.java:115) �� at java.base/java.net.SocketInputStream.read(SocketInputStream.java:168) �� at java.base/java.net.SocketInputStream.read(SocketInputStream.java:140) �� at java.base/sun.security.ssl.SSLSocketInputRecord.read(SSLSocketInputRecord.java:448) �� at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:165) �� at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108) �� at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1151) �� at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1062) �� at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402) �� at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:716) �� at java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:799) �� at java.base/sun.nio.cs.StreamDecoder.readBytes(StreamDecoder.java:284) �� at java.base/sun.nio.cs.StreamDecoder.implRead(StreamDecoder.java:326) �� at java.base/sun.nio.cs.StreamDecoder.read(StreamDecoder.java:178) �� at java.base/java.io.InputStreamReader.read(InputStreamReader.java:185) �� at java.base/java.io.BufferedReader.fill(BufferedReader.java:161) �� at java.base/java.io.BufferedReader.readLine(BufferedReader.java:326) �� at java.base/java.io.BufferedReader.readLine(BufferedReader.java:392) �� at SimpleClient.startClient(SimpleClient.java:28) �� at SimpleClient.main(SimpleClient.java:48)} ) javax.net.ssl|DEBUG|01|main|2020-02-14 10:31:45.335 PST|SSLSocketOutputRecord.java:71|WRITE: TLS12 alert(unexpected_message), length = 2 javax.net.ssl|DEBUG|01|main|2020-02-14 10:31:45.336 PST|SSLSocketOutputRecord.java:85|Raw write ( �� 0000: 15 03 03 00 02 02 0A �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� ....... ) javax.net.ssl|DEBUG|01|main|2020-02-14 10:31:45.336 PST|SSLSocketImpl.java:1360|close the underlying socket javax.net.ssl|DEBUG|01|main|2020-02-14 10:31:45.336 PST|SSLSocketImpl.java:1379|close the SSL connection (initiative) Read timed out Connection isClosed: true null
21-02-2020

Duplicate of JDK-8239788. Will let you choose which one to close, please note this is a very high severity.
21-02-2020