JDK-8257030 : SSL Sockets staying open at the OS level after having been closed
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: openjdk8u
  • Priority: P3
  • Status: Resolved
  • Resolution: Duplicate
  • OS: linux
  • CPU: x86_64
  • Submitted: 2020-11-16
  • Updated: 2023-11-29
  • Resolved: 2021-07-05
Related Reports
Duplicate :  
JDK-8257670 - sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java reports leaks
Relates :  
JDK-8236464 - SO_LINGER option is ignored by SSLSocket in JDK 11
Relates :  
JDK-8245466 - Backport TLSv1.3 protocol implementation
Relates :  
JDK-8245016 - SO_LINGER option is ignored by SSLSocket in JDK 11
Description
A DESCRIPTION OF THE PROBLEM :
I think this TLSv1.3 backport https://bugs.openjdk.java.net/browse/JDK-8245466
may have clobbered this SO_LINGER fix https://bugs.openjdk.java.net/browse/JDK-8245016

After upgrading to openjdk 1.8u275 we have seen multiple applications, the first one we noticed it in was Apache Cassandra 3.11, start to accumulate open sockets in the OS after the server is done with them, eventually running out of file handles.

REGRESSION : Last worked in version 8

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Start Apache Cassandra 3.11 when client SSL enabled.  Start and stop clients connecting to it over and over.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Open socket handles do no accumulate.
ACTUAL -
Open socket handles accumulate over time.

CUSTOMER SUBMITTED WORKAROUND :
Downgrade back to previous 1.8u262 release.

FREQUENCY : always
Comments
Additional information from the submitter: They originally saw the issue with Oracle JDK 8u271
11-12-2020
I tried to reproduce with Apache Cassandra 3.11.9 with client SSL enabled on Oracle JDK 8u271. However, I did not see any leaks (tried with multiple connections), IPv6 Sockets created were closed gracefully.
09-12-2020
Requested the submitter to test with 8u271 Oracle JDK, https://www.oracle.com/java/technologies/javase/javase-jdk8-downloads.html
08-12-2020
Additional information from the submitter: It should be a pretty straight forward fix of just applying the patch from https://bugs.openjdk.java.net/browse/JDK-8236464 It looks like a pretty straight forward case of back porting the SSL code from 11 to 8 and fixing bugs in that same code happened at about the same time, so the bug fixes were missed. If you check the code you can see that the change from https://bugs.openjdk.java.net/browse/JDK-8245016 is not present in 8u275 https://github.com/AdoptOpenJDK/openjdk-jdk8u/blob/jdk8u275-b01/jdk/src/share/classes/sun/security/ssl/TransportContext.java#L240 Code change from JDK-8245016 https://hg.openjdk.java.net/jdk/jdk/rev/c783b60f48db#l2.8
08-12-2020
Requested a simple reproducer from the submitter.
18-11-2020