JDK-8221218 : sun/security/ssl/SSLSocketImpl/SSLExceptionForIOIssue.java failed with SSLHandshakeException: Insufficient buffer remaining for AEAD cipher fragment (2).
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 13
  • Priority: P4
  • Status: Closed
  • Resolution: Duplicate
  • Submitted: 2019-03-21
  • Updated: 2024-10-16
  • Resolved: 2022-11-13
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Other
tbdResolved
Related Reports
Duplicate :  
Duplicate :  
Relates :  
Description
----------System.err:(45/3254)----------
===================================
Starting client
Accepting client requests
Connecting to server at port 56784
Waiting 3 seconds for client 
Sending data to server ...
Sending data to client ...
javax.net.ssl.SSLHandshakeException: Insufficient buffer remaining for AEAD cipher fragment (2). Needs to be more than tag size (16)
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:320)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:263)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:258)
	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:129)
	at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1180)
	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1091)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
	at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:721)
	at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:998)
	at java.base/sun.nio.cs.StreamEncoder.writeBytes(StreamEncoder.java:233)
	at java.base/sun.nio.cs.StreamEncoder.implFlushBuffer(StreamEncoder.java:312)
	at java.base/sun.nio.cs.StreamEncoder.implFlush(StreamEncoder.java:316)
	at java.base/sun.nio.cs.StreamEncoder.flush(StreamEncoder.java:153)
	at java.base/java.io.OutputStreamWriter.flush(OutputStreamWriter.java:254)
	at java.base/java.io.BufferedWriter.flush(BufferedWriter.java:257)
	at SSLExceptionForIOIssue.test(SSLExceptionForIOIssue.java:79)
	at SSLExceptionForIOIssue.main(SSLExceptionForIOIssue.java:45)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:567)
	at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)
	at java.base/java.lang.Thread.run(Thread.java:835)
Caused by: javax.crypto.BadPaddingException: Insufficient buffer remaining for AEAD cipher fragment (2). Needs to be more than tag size (16)
	at java.base/sun.security.ssl.SSLCipher$T13GcmReadCipherGenerator$GcmReadCipher.decrypt(SSLCipher.java:1878)
	at java.base/sun.security.ssl.SSLSocketInputRecord.decodeInputRecord(SSLSocketInputRecord.java:262)
	at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:190)
	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108)
	... 19 more

JavaTest Message: Test threw exception: javax.net.ssl.SSLHandshakeException: Insufficient buffer remaining for AEAD cipher fragment (2). Needs to be more than tag size (16)
JavaTest Message: shutting down test

expected client exception: javax.net.ssl.SSLException: Read timed out
client socket closed
STATUS:Failed.`main' threw exception: javax.net.ssl.SSLHandshakeException: Insufficient buffer remaining for AEAD cipher fragment (2). Needs to be more than tag size (16)
Comments
I looked into a claim raised by: https://mail.openjdk.org/pipermail/security-dev/2022-April/030093.html which points to https://issues.redhat.com/browse/XNIO-406 In SSLEngineImpl.java/readRecord():601 if (srcsRemains == 0) { return new SSLEngineResult( Status.BUFFER_UNDERFLOW, hsStatus, 0, 0); } I'm not able to reproduce it (using AES/GCM during handhaking and after), so if this is still an issue, please open/reopen this bug. Xuelei pointed to JDK-8227651, which is a test only bug, but please reopen if this is occurring.
03-05-2024

The issue may have been fixed within JDK-8227651. Please re-open it when it happens again.
13-11-2022

Claim of reproducer: https://mail.openjdk.java.net/pipermail/security-dev/2022-April/030093.html Reopening for evaluation.
25-04-2022

The issue may be caused by synchronization, which may be fixed in JDK-8258753 and JDK-8263743. Please re-open if it happens again.
28-04-2021