JDK-8227651 : Tests fail with SSLProtocolException: Input record too big
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 8,11,14,16,17,18,19
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2019-07-13
  • Updated: 2024-08-26
  • Resolved: 2022-08-10
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 17 JDK 19 JDK 20 JDK 8
11.0.18-oracleFixed 17.0.5Fixed 19.0.1Fixed 20 b10Fixed 8u361Fixed
Related Reports
Duplicate :  
JDK-8221218 - sun/security/ssl/SSLSocketImpl/SSLExceptionForIOIssue.java failed with SSLHandshakeException: Insufficient buffer remaining for AEAD cipher fragment (2).
Duplicate :  
JDK-8273395 - javax/net/ssl/ServerName/SSLEngineExplorerWithCli.java fails with test timeout
Duplicate :  
JDK-8212096 - javax/net/ssl/ServerName/SSLEngineExplorerMatchedSNI.java failed intermittently due to SSLException: Tag mismatch
Duplicate :  
JDK-8274698 - Tests still fail with SSLProtocolException: Input record too big
Duplicate :  
JDK-8273396 - javax/net/ssl/ServerName/SSLEngineExplorerWithSrv.java fails with test timeout
Relates :  
JDK-6388456 - Need adjustable TLS max record size for interoperability with non-compliant stacks
Relates :  
JDK-8207009 - TLS 1.3 half-close and synchronization issues
Description
Following tests fail intermittently with "javax.net.ssl.SSLProtocolException: Input record too big".

javax/net/ssl/SSLEngine/LargePacket.java
javax/net/ssl/ServerName/SSLEngineExplorerWithCli.java
javax/net/ssl/ServerName/SSLEngineExplorerWithSrv.java
javax/net/ssl/ServerName/SSLEngineExplorerMatchedSNI.java

Here's a snippet of the log file:

#section:main
----------messages:(6/204)----------
command: main LargePacket
reason: User specified action: run main/othervm LargePacket 
Mode: othervm [/othervm specified]
Timeout information:
--- Timeout information end.
elapsed time (seconds): 495.189
----------configuration:(0/0)----------
----------System.out:(6/333)----------
resize destination buffer upto 16709 bytes for BUFFER_OVERFLOW
resize source buffer upto 16709 bytes for BUFFER_UNDERFLOW
resize destination buffer upto 16709 bytes for BUFFER_OVERFLOW
resize destination buffer upto 16709 bytes for BUFFER_OVERFLOW
resize source buffer upto 16709 bytes for BUFFER_UNDERFLOW
Timeout refired 480 times
----------System.err:(2/97)----------
Server died...
javax.net.ssl.SSLProtocolException: Input record too big: max = 16709 len = 49004
----------rerun:(32/4669)*----------

It is not clear if:

javax.net.ssl.SSLProtocolException: Input record too big: max = 16709 len = 49004"

is an error message or a warning or a failure of the test.

This is a Tier2 failure so starting this bug at P3 for initial triage.
Comments
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk8u-dev/pull/567 Date: 2024-08-26 08:02:37 +0000
26-08-2024
[jdk8u-fix-request] Approval Request from sendaoYan Backport from jdk11u-dev to jdk8u-dev, to fix the intermittent failure, test fix only, the change has been verified, no risk.
26-08-2024
Fix request [11u] I backport this for parity with 11.0.18-oracle. No risk, only a test change. Clean backport except for ProblemList Tests pass. SAP nightly testing passes.
13-10-2022
A pull request was submitted for review. URL: https://git.openjdk.org/jdk11u-dev/pull/1448 Date: 2022-10-12 07:12:50 +0000
12-10-2022
Fix request (19u): Should help to stabilize jdk19u testing. Backport applies cleanly. Passes SAP nightlies.
24-08-2022
A pull request was submitted for review. URL: https://git.openjdk.org/jdk19u/pull/12 Date: 2022-08-23 21:01:39 +0000
23-08-2022
Fix Request (17u). On behalf of Josh Cao <joshcao@amazon.com> Clean test-only fix, patched tests succeed, low risk. Same patch for JDK-8212096 backport.
19-08-2022
A pull request was submitted for review. URL: https://git.openjdk.org/jdk17u-dev/pull/639 Date: 2022-08-18 22:59:44 +0000
18-08-2022
Changeset: 7b029ea6 Author: Daniel JeliƄski <djelinski@openjdk.org> Date: 2022-08-10 18:16:10 +0000 URL: https://git.openjdk.org/jdk/commit/7b029ea6ba1d44d361fdf980816732d8454b8194
10-08-2022
Thanks [~djelinski] for the fix. I have assigned JDK-8212096 issue to you as well.
09-08-2022
A pull request was submitted for review. URL: https://git.openjdk.org/jdk/pull/9773 Date: 2022-08-05 12:25:36 +0000
05-08-2022
Another manifestation of this issue can be found in JDK-8227651. The issue is caused by a race condition in SSLEngineService usages. It can be reproduced more reliably by adding the following lines after `case NEED_UNWRAP` in SSLEngineService#handshaking: if (!ssle.getUseClientMode()) { Thread.sleep(300); } The problem is that SSLEngineService#handshaking reads all available data from the socket, but as soon as the handshake completes, it discards all unprocessed data. Most of the time only the client's Finished message is available and the test passes. However, if the server thread encounters a slowdown, the client may send application data which is then received and discarded. This in turn means that the receiving method will not see some of the bytes that were sent by the peer. This issue is only observed when the tests use TLS 1.3. With TLS 1.2 and earlier, the last handshake message was sent by the server, and the client had to receive it before it could start sending. With TLS1.3 the last handshake message is sent by the client, which can start sending data without any further delay.
05-08-2022
we see the error as well in 8 ; sun/security/ssl/javax/net/ssl/ServerName/SSLEngineExplorerMatchedSNI.java javax.net.ssl.SSLProtocolException: Input record too big: max = 16709 len = 20434 at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:516) at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:418) at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:397) at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:626) at SSLEngineService.receive(SSLEngineService.java:167) at SSLEngineExplorerMatchedSNI.doServerSide(SSLEngineExplorerMatchedSNI.java:160) at SSLEngineExplorerMatchedSNI.startServer(SSLEngineExplorerMatchedSNI.java:369) at SSLEngineExplorerMatchedSNI.<init>(SSLEngineExplorerMatchedSNI.java:319) at SSLEngineExplorerMatchedSNI.main(SSLEngineExplorerMatchedSNI.java:300) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127) at java.lang.Thread.run(Thread.java:838)
01-08-2022
Here's a log file snippet for the jdk-18+31-2042-tier2 sighting: javax/net/ssl/SSLEngine/LargePacket.java #section:main ----------messages:(6/204)---------- command: main LargePacket reason: User specified action: run main/othervm LargePacket Mode: othervm [/othervm specified] Timeout information: --- Timeout information end. elapsed time (seconds): 492.659 ----------configuration:(0/0)---------- ----------System.out:(6/333)---------- resize destination buffer upto 16709 bytes for BUFFER_OVERFLOW resize source buffer upto 16709 bytes for BUFFER_UNDERFLOW resize destination buffer upto 16709 bytes for BUFFER_OVERFLOW resize destination buffer upto 16709 bytes for BUFFER_OVERFLOW resize source buffer upto 16709 bytes for BUFFER_UNDERFLOW Timeout refired 480 times ----------System.err:(2/97)---------- Server died... javax.net.ssl.SSLProtocolException: Input record too big: max = 16709 len = 61705 ----------rerun:(35/5885)*---------- <snip> result: Error. Program `/System/Volumes/Data/mesos/work_dir/jib-master/install/jdk-18+31-2042/macosx-aarch64.jdk/jdk-18.jdk/Contents/Home/bin/java' timed out (timeout set to 480000ms, elapsed time including timeout handling was 492653ms).
10-01-2022
[~rhalade] thank you - filed JDK-8277970
30-11-2021
[~dholmes] The failure seen with NoInvalidateSocketException.java is not related to this bug. Please open a new bug.
30-11-2021
Test: jdk/sun/security/ssl/SSLSessionImpl/NoInvalidateSocketException.java is also failing with the "tag mismatch": Caused by: javax.crypto.AEADBadTagException: Tag mismatch at java.base/com.sun.crypto.provider.GaloisCounterMode$GCMDecrypt.doFinal(GaloisCounterMode.java:1591) at java.base/com.sun.crypto.provider.GaloisCounterMode.engineDoFinal(GaloisCounterMode.java:454) at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2501) at java.base/sun.security.ssl.SSLCipher$T13GcmReadCipherGenerator$GcmReadCipher.decrypt(SSLCipher.java:1933) at java.base/sun.security.ssl.SSLSocketInputRecord.decodeInputRecord(SSLSocketInputRecord.java:260) at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:181) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:111) is this really the same issue as the "input record too big" or is this something else? [~rhalade] please advise if we should open a new bug.
30-11-2021
Here's a log file snippet from the jdk-18+6-203-tier2 sighting: javax/net/ssl/ServerName/SSLEngineExplorerWithSrv.java #section:main ----------messages:(6/230)---------- command: main SSLEngineExplorerWithSrv reason: User specified action: run main/othervm SSLEngineExplorerWithSrv Mode: othervm [/othervm specified] Timeout information: --- Timeout information end. elapsed time (seconds): 499.666 ----------configuration:(0/0)---------- ----------System.out:(8/380)---------- resize destination buffer upto 16709 bytes for BUFFER_OVERFLOW resize source buffer upto 16709 bytes for BUFFER_UNDERFLOW Record version: TLSv1.2 Hello version: TLSv1.2 resize destination buffer upto 16709 bytes for BUFFER_OVERFLOW resize destination buffer upto 16709 bytes for BUFFER_OVERFLOW resize source buffer upto 16709 bytes for BUFFER_UNDERFLOW Timeout refired 480 times ----------System.err:(2/97)---------- Server died... javax.net.ssl.SSLProtocolException: Input record too big: max = 16709 len = 61893 ----------rerun:(35/8238)*----------
09-07-2021
Here's a snippet from the log file for the jdk-17+3-68-tier2 sighting: javax/net/ssl/ServerName/SSLEngineExplorerWithCli.java #section:main ----------messages:(6/230)---------- command: main SSLEngineExplorerWithCli reason: User specified action: run main/othervm SSLEngineExplorerWithCli Mode: othervm [/othervm specified] Timeout information: --- Timeout information end. elapsed time (seconds): 496.222 ----------configuration:(0/0)---------- ----------System.out:(10/502)---------- resize destination buffer upto 16709 bytes for BUFFER_OVERFLOW resize source buffer upto 16709 bytes for BUFFER_UNDERFLOW Record version: TLSv1.2 Hello version: TLSv1.2 resize destination buffer upto 16709 bytes for BUFFER_OVERFLOW resize destination buffer upto 16709 bytes for BUFFER_OVERFLOW resize destination buffer upto 16676 bytes for BUFFER_OVERFLOW resize source buffer upto 16709 bytes for BUFFER_UNDERFLOW resize source buffer upto 16709 bytes for BUFFER_UNDERFLOW Timeout refired 480 times ----------System.err:(2/57)---------- Server died... javax.net.ssl.SSLException: Tag mismatch! ----------rerun:(36/7612)*----------
17-12-2020
Here's a SSLEngineExplorerWithSrv.java log file snippet from the jdk-16+26-1751-tier2 sighting: #section:main ----------messages:(6/230)---------- command: main SSLEngineExplorerWithSrv reason: User specified action: run main/othervm SSLEngineExplorerWithSrv Mode: othervm [/othervm specified] Timeout information: --- Timeout information end. elapsed time (seconds): 496.031 ----------configuration:(0/0)---------- ----------System.out:(10/502)---------- resize destination buffer upto 16709 bytes for BUFFER_OVERFLOW Record version: TLSv1.2 Hello version: TLSv1.2 resize source buffer upto 16709 bytes for BUFFER_UNDERFLOW resize destination buffer upto 16709 bytes for BUFFER_OVERFLOW resize destination buffer upto 16709 bytes for BUFFER_OVERFLOW resize destination buffer upto 16676 bytes for BUFFER_OVERFLOW resize source buffer upto 16709 bytes for BUFFER_UNDERFLOW resize source buffer upto 16709 bytes for BUFFER_UNDERFLOW Timeout refired 480 times ----------System.err:(2/57)---------- Server died... javax.net.ssl.SSLException: Tag mismatch! ----------rerun:(36/7998)*----------
01-12-2020
We notice now and then similar exceptions, but in the jtreg test javax/net/ssl/ServerName/SSLEngineExplorerWithSrv.java (the issues show up on Linux and AIX, in JDK11, 14 and 15; not always but sometimes). Our stderr / stdout shows : :stdErr: Wed Apr 01 20:55:39 CEST 2020 Server died... javax.net.ssl.SSLProtocolException: Input record too big: max = 16709 len = 40038 :stdOut: Wed Apr 01 20:55:39 CEST 2020 resize destination buffer upto 16709 bytes for BUFFER_OVERFLOW resize source buffer upto 16709 bytes for BUFFER_UNDERFLOW Record version: TLSv1.2 Hello version: TLSv1.2 resize destination buffer upto 16709 bytes for BUFFER_OVERFLOW resize destination buffer upto 16709 bytes for BUFFER_OVERFLOW resize source buffer upto 16709 bytes for BUFFER_UNDERFLOW Timeout refired 720 times
03-04-2020
[~rhalade] Assigning to you for now for further triaging.
23-07-2019