Bug ID: JDK-8259662 Don't wrap SocketExceptions into SSLExceptions in SSLSocketImpl

JDK-8259662 : Don't wrap SocketExceptions into SSLExceptions in SSLSocketImpl

Type: Bug
Component: security-libs
Sub-Component: javax.net.ssl
Affected Version: 8,11,13,15,16

Priority: P4
Status: Resolved
Resolution: Fixed

Submitted: 2021-01-13
Updated: 2021-10-05
Resolved: 2021-02-22

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 11	JDK 16	JDK 17	JDK 8
11.0.12Fixed	16.0.2Fixed	17 b11Fixed	8u321Fixed

Related Reports

Blocks :	JDK-8259516 - Alerts sent by peer may not be received correctly during TLS handshake
CSR :	JDK-8259847 - Don't wrap SocketExceptions into SSLExceptions in SSLSocketImpl
Relates :	JDK-8262436 - SSL test failures caused by java.net.SocketException
Relates :	JDK-8237578 - JDK-8214339 (SSLSocketImpl wraps SocketException) appears to not be fully fixed
Relates :	JDK-8259582 - Backout JDK-8237578 until all affected tests have been fixed
Relates :	JDK-8259572 - [test] Fix SSL tests after JDK-8237578 to properly handle SocketExceptions
Relates :	JDK-8262409 - sun/security/ssl/SSLSocketImpl/SSLSocketImplThrowsWrongExceptions. SSL test failures caused by java failed with "Server reported the wrong exception"

Sub Tasks

JDK-8262053 :

Release Note: SocketExceptions Are Not Wrapped Into SSLExceptions in SSLSocketImpl - Resolved

Description

Redo JDK-8237578 Fixing the effected tests

OpenJDK8u 265 had the following contract with the client

* . if there is an IOException (SocketException) when accessing the
* underlying Socket, pass it through
*
* . do not throw IOExceptions, throw SSLExceptions (or a subclass)
*

SSLSocketImpl.java#l69 (http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/file/9204e03217f7/src/share/classes/sun/security/ssl/SSLSocketImpl.java#l69)

The TLS stack would pass through SocketException. It would wrap other IOExceptions into an SSLException. However, The implementation of TLS1.3 stack changed this behavior [JDK-8196584 (https://bugs.openjdk.java.net/browse/JDK-8196584)]. It now started wrapping All IOExceptions including SocketException into an SSLException.

The error handling guidelines present in OpenJDK8u265 and previous versions were used by the application layer to determine how to react to the exception. The application layer would consider SocketExceptions to be retry-able and would retry the request or have other special handling. This issue was also reported by ApacheHTTPClient in HTTPCLIENT-2032 (https://issues.apache.org/jira/browse/HTTPCLIENT-2032). The application started seeing SSLException: Broken Pipe. this was due to the SocketException being converted to an SSLException. JDK-8214339 (https://bugs.openjdk.java.net/browse/JDK-8214339) attempted to fix this issue, however, it was still suppressing the SocketException and passing to the application layer an SSLException.

The application now was unable to determine if the failure was due to a retry-able socket exception or a more permanent SSLException.

Comments

NP, the test fix wasn't available when the backport was done. After all, it's just an intermittent test failure, so no need for 11.0.12 critical fix.
01-07-2021
Maybe make JDK-8262409 a critical fix for 11.0.12?
01-07-2021
Hmm, this shouldn't have been backported without JDK-8262409. Its too difficult in JBS to see follow up errors :(
01-07-2021
Fix Request [16u] Review thread: https://mail.openjdk.java.net/pipermail/jdk-updates-dev/2021-March/005484.html
26-03-2021
[~cverghese],[~phh], could you please backport this to 16u first? I would feel more comfortable allowing this into 11u after it has made it to 16.
26-03-2021
11u review approval: https://mail.openjdk.java.net/pipermail/jdk-updates-dev/2021-March/005433.html
23-03-2021
Fix Request (11u) I would like to backport this change to 11u. The patch applied cleanly expect for the hunks at src/java.base/share/classes/sun/security/ssl/SSLSocketImpl.java, Line : 1329-1333 and 1394-1398. Review : http://cr.openjdk.java.net/~cverghese/webrevs/8259662/
23-03-2021
Changeset: 63f8fc87 Author: Clive Verghese <cverghese@openjdk.org> Committer: Xue-Lei Andrew Fan <xuelei@openjdk.org> Date: 2021-02-22 18:36:30 +0000 URL: https://git.openjdk.java.net/jdk/commit/63f8fc87
22-02-2021