Bug ID: JDK-8274524 SSLSocket.close() hangs if it is called during the ssl handshake

JDK-8274524 : SSLSocket.close() hangs if it is called during the ssl handshake

Type: Bug
Component: security-libs
Sub-Component: javax.net.ssl
Affected Version: 8,11,13,15,17,18

Priority: P2
Status: Closed
Resolution: Fixed

Submitted: 2021-09-29
Updated: 2024-06-14
Resolved: 2022-02-12

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

Other	JDK 11	JDK 13	JDK 15	JDK 17	JDK 18	JDK 19	JDK 8
,shenandoah8u332Resolved	11.0.15Fixed	13.0.11Fixed	15.0.7Fixed	17.0.3Fixed	18.0.2Fixed	19 b10Fixed	8u341Fixed

Related Reports

Blocks :	JDK-8315422 - getSoTimeout() would be in try block in SSLSocketImpl
Relates :	JDK-8268965 - TCP Connection Reset when connecting simple socket to SSL server
Relates :	JDK-8315422 - getSoTimeout() would be in try block in SSLSocketImpl
Relates :	JDK-8274736 - Concurrent read/close of SSLSockets causes SSLSessions to be invalidated unnecessarily

Description

JCK test api/javax_net/ssl/SSLSocket/setUseClientMode.html fails on Linux & NioSocket  with "Error. test was interrupted! (timeout?)"

During TLS handshake socket read operations are not protected by readLock. Here is a stack trace of the read during handshake:
	at java.base/sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:48)
	at java.base/sun.nio.ch.NioSocketImpl.tryRead(NioSocketImpl.java:261)
	at java.base/sun.nio.ch.NioSocketImpl.implRead(NioSocketImpl.java:312)
	at java.base/sun.nio.ch.NioSocketImpl.read(NioSocketImpl.java:350)
	at java.base/sun.nio.ch.NioSocketImpl$1.read(NioSocketImpl.java:803)
	at java.base/java.net.Socket$SocketInputStream.read(Socket.java:981)
	at java.base/sun.security.ssl.SSLSocketInputRecord.read(SSLSocketInputRecord.java:478)
	at java.base/sun.security.ssl.SSLSocketInputRecord.readFully(SSLSocketInputRecord.java:461)
	at java.base/sun.security.ssl.SSLSocketInputRecord.decodeInputRecord(SSLSocketInputRecord.java:243)
	at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:181)
	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:110)
	at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1491)
	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1397)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:444)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:415)

SSLSocket.close() also reads from socket after JDK-8268965:
	at java.base/sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:48)
	at java.base/sun.nio.ch.NioSocketImpl.tryRead(NioSocketImpl.java:261)
	at java.base/sun.nio.ch.NioSocketImpl.implRead(NioSocketImpl.java:312)
	at java.base/sun.nio.ch.NioSocketImpl.read(NioSocketImpl.java:350)
	at java.base/sun.nio.ch.NioSocketImpl$1.read(NioSocketImpl.java:803)
	at java.base/java.net.Socket$SocketInputStream.read(Socket.java:981)
	at java.base/java.io.InputStream.skip(InputStream.java:544)
	at java.base/sun.security.ssl.SSLSocketInputRecord.deplete(SSLSocketInputRecord.java:504)
	at java.base/sun.security.ssl.SSLSocketImpl.closeSocket(SSLSocketImpl.java:1762)
	at java.base/sun.security.ssl.SSLSocketImpl.shutdown(SSLSocketImpl.java:1739)
	at java.base/sun.security.ssl.SSLSocketImpl.bruteForceCloseInput(SSLSocketImpl.java:773)
	at java.base/sun.security.ssl.SSLSocketImpl.duplexCloseOutput(SSLSocketImpl.java:638)
	at java.base/sun.security.ssl.SSLSocketImpl.close(SSLSocketImpl.java:570)

InputStream.skip() is implemented as a simple read from NIO socket without any locks. It is implemented as a loop of read(available()) As result, in case of called concurrently, SSLSocket.close() could hangs trying to read available bytes from socket, while startHandshake() already read them

The issue does not affect concurrent SSLSocket.close() and application input stream because of SSLSocketInputRecord.deplete() is protected by Application Input Stream read lock.

Comments

A pull request was submitted for review. URL: https://git.openjdk.java.net/jdk18u/pull/33 Date: 2022-03-07 05:29:32 +0000
07-03-2022
Fix request [8u] I'd like to backport this fix to JDK8u to prevent intermittent deadlocks. 11u patch applied cleanly after fixing file path sun/security/ssl regression tests passed
16-02-2022
Fix request [13u] I'd like to backport it to JDK13u to fix intermittent deadlocks Backport is almost clean except for a trivial fix for Pattern Matching in the instanceof (not available in JDK13) and braces for the if-clauses.
14-02-2022
Fix request [11u] I'd like to backport it to JDK11u to fix intermittent deadlocks Backport is almost clean except for a trivial fix for Pattern Matching in the instanceof (not available in JDK11) and braces for the if-clauses.
14-02-2022
Fix request [15u] I'd like to backport it to JDK15u to fix intermittent deadlocks Backport is almost clean except for a trivial fix for Pattern Matching in the instanceof (not available in JDK15) and braces for the if-clauses.
14-02-2022
A pull request was submitted for review. URL: https://git.openjdk.java.net/jdk11u-dev/pull/823 Date: 2022-02-14 17:58:42 +0000
14-02-2022
Fix request [17u] I'd like to backport it to JDK17u to fix intermittent deadlocks Backport is clean.
14-02-2022
A pull request was submitted for review. URL: https://git.openjdk.java.net/jdk13u-dev/pull/326 Date: 2022-02-14 13:51:17 +0000
14-02-2022
A pull request was submitted for review. URL: https://git.openjdk.java.net/jdk15u-dev/pull/176 Date: 2022-02-14 13:50:22 +0000
14-02-2022
A pull request was submitted for review. URL: https://git.openjdk.java.net/jdk17u-dev/pull/161 Date: 2022-02-14 13:43:12 +0000
14-02-2022
Changeset: 58dae60d Author: Alexey Bakhtin <abakhtin@openjdk.org> Date: 2022-02-12 11:54:22 +0000 URL: https://git.openjdk.java.net/jdk/commit/58dae60da0711c4ae0cb23f8ce2328e051d603b2
12-02-2022
A pull request was submitted for review. URL: https://git.openjdk.java.net/jdk/pull/7432 Date: 2022-02-10 18:19:41 +0000
10-02-2022
Yes, This is an intermittent failure but it can be reproduced with the test from my review: https://github.com/alexeybakhtin/jdk/blob/02aa671f71daf633f2aefaf692b3d04822183bae/test/jdk/sun/security/ssl/SSLSocketImpl/ClientSocketCloseHang.java SSL log and jstack are attached
28-01-2022
This could possibly be an intermittent failure. Would also much appreciate to have logs attached to JDK-8274524.
27-01-2022