Bug ID: JDK-8256818 SSLSocket that is never bound or connected leaks socket resources

Type: Bug
Component: security-libs
Sub-Component: javax.net.ssl
Affected Version: 8u271,11.0.9-oracle,13,15,16

Priority: P2
Status: Closed
Resolution: Fixed

Submitted: 2020-11-21
Updated: 2023-11-29
Resolved: 2020-12-02

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 11	JDK 16	JDK 8	Other
11.0.11-oracleFixed	16 b27Fixed	8u271Fixed	openjdk8u302Fixed

There is a flaw in sun.security.ssl.SSLSocketImpl::close() which leads to leaking socket resources after JDK-8224829.

The close method calls duplexCloseOutput() and duplexCloseInput(). In case of an exception in any of these methods, the call to closeSocket() is bypassed, and the underlying Socket may not be closed.

This manifests in a real life leak after JDK-8224829 has introduced a call to getSoLinger() on the path of duplexCloseOutput -> closeNotify. If socket impl / OS socket hadn't been created yet it is done at that place. But then after duplexCloseOutput eventually fails with a SocketException since the socket wasn't connected, closing fails to call Socket::close().

This problem can be reproduced by this code:
		        SSLSocket sslSocket = (SSLSocket)SSLSocketFactory.getDefault().createSocket();
		        sslSocket.getSSLParameters();
		        sslSocket.close();

This is what happens when SSLContext.getDefault().getDefaultSSLParameters() is called, with close() being eventually called by the finalizer.

Fix Request (8u): Backport to 8u requested because it is a part of 8u291-oracle. Patch doesn't apply cleanly, review approval email: https://mail.openjdk.java.net/pipermail/jdk8u-dev/2021-April/013695.html Note: there is already a Fix Request filed for this backport, it is added to the backport issue [1]. AFAIU the recent changes to the process (please correct me if I am wrong), Fix Request needs to be filed in the main issue, so adding it here. [1] https://bugs.openjdk.java.net/browse/JDK-8259013?focusedCommentId=14413647&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14413647
27-04-2021
Fix Request (11u): Backport to 11u requested because it is a part of 11.0.11-oracle. Patch doesn't apply cleanly, review approval email: https://mail.openjdk.java.net/pipermail/jdk-updates-dev/2020-December/004508.html
29-12-2020
Changeset: 93b6ab56 Author: Christoph Langer <clanger@openjdk.org> Date: 2020-12-02 19:23:26 +0000 URL: https://git.openjdk.java.net/jdk/commit/93b6ab56
02-12-2020
Fix proposal: https://github.com/openjdk/jdk/pull/1363
21-11-2020

Relates :	JDK-8236464 - SO_LINGER option is ignored by SSLSocket in JDK 11
Relates :	JDK-8224829 - AsyncSSLSocketClose.java has timing issue
Relates :	JDK-8257884 - Re-enable sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java as automatic test
Relates :	JDK-8257670 - sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java reports leaks