JDK-8268965 : TCP Connection Reset when connecting simple socket to SSL server
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 8,11,13,15,17,18
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2021-06-17
  • Updated: 2021-11-02
  • Resolved: 2021-07-08
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 8 Other
11.0.13Fixed 8u301Fixed openjdk8u312Fixed
Related Reports
Relates :  
Relates :  
Description
Simple socket connection fails with  TCP Connection Reset in case of connecting to the SSL Server.
SSL Server fails as expected: "javax.net.ssl.SSLException: Unsupported or unrecognized SSL message"
The client connection fails with:
ACTUAL BEHAVIOUR: 
java.net.SocketException: "Connection reset" 
EXPECTED BEHAVIOUR: 
java.io.EOFException

It happens because of SSL server does not clean the input stream before closing the underlying socket. As result, it causes TCP connection resets on some platforms.

JDK8 TLSv1.2 implementation did not have such an issue because of it explicitly clean the input stream before closing the socket : https://hg.openjdk.java.net/jdk8u/jdk8u-dev/jdk/file/fde7fd2a2fd2/src/share/classes/sun/security/ssl/SSLSocketImpl.java#l1932
Suggest doing the same in the TLSv1.3 implementation.

Please note: issue reproduced with the PlainSocketImpl only. JDK13 and higher should be run with -Djdk.net.usePlainSocketImpl=true option. JDK8 and JDK11 reproduce this issue in the default configuration.
Comments
Fix request [8u] 11u patch applies cleanly after updating files location sun/security/ssl and new test are passed
23-07-2021

Fix request [11] 13u patch applies clean sun/security/ssl and new test are passed
22-07-2021

Changeset: e1d3e73d Author: Alexey Bakhtin <abakhtin@openjdk.org> Committer: Vladimir Kempik <vkempik@openjdk.org> Date: 2021-07-12 10:24:39 +0000 URL: https://git.openjdk.java.net/jdk/commit/e1d3e73d4ee32fac7e5b6b2666221717270d4814
13-07-2021

Fix request [13] 15u patch applies clean sun/security/ssl and new test are passed
12-07-2021

Fix request [15] The original patch applies almost clean except of instanceof pattern matching not available in jdk15 sun/security/ssl and new test are passed
12-07-2021

Fix request [17] The original patch applies cleanly. The new test passed successfully.
08-07-2021

Changeset: 6f171b9f Author: Alexey Bakhtin <abakhtin@openjdk.org> Committer: Vladimir Kempik <vkempik@openjdk.org> Date: 2021-07-08 16:44:55 +0000 URL: https://git.openjdk.java.net/jdk/commit/6f171b9f0d28ad17b31a54bad894f38d19df6f73
08-07-2021