JDK-8367133 : DTLS: fragmentation of Finished message results in handshake failure
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 17,26
  • Priority: P4
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2025-09-08
  • Updated: 2025-10-20
  • Resolved: 2025-09-25
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 17 JDK 21 JDK 25 JDK 26
17.0.18-oracleFixed 21.0.10-oracleFixed 25.0.2Fixed 26 b18Fixed
Related Reports
Relates :  
JDK-8368824 - Multiple httpclient tests pass and then time out on Windows
Description
If the Finished message is fragmented, the handshake fails with:
javax.net.ssl.SSLHandshakeException: (decrypt_error) The Finished message cannot be verified.

Relevant fragment from the javax.net.debug log:
```
javax.net.ssl|DEBUG|A1|pool-1-thread-1|2025-09-08 21:32:04.069 CEST|ChangeCipherSpec.java:146|Consuming ChangeCipherSpec message
javax.net.ssl|DEBUG|A1|pool-1-thread-1|2025-09-08 21:32:04.070 CEST|SSLCipher.java:1654|Plaintext after DECRYPTION (
  0000: 14 00 00 0C 00 03 00 00   00 00 00 04 BE 89 47 E6  ..............G.
)
javax.net.ssl|ERROR|A1|pool-1-thread-1|2025-09-08 21:32:04.072 CEST|TransportContext.java:368|Fatal (DECRYPT_ERROR): The Finished message cannot be verified. (
"throwable" : {
  javax.net.ssl.SSLHandshakeException: (decrypt_error) The Finished message cannot be verified.
```
In the above log the plaintext contains the first 4 bytes of a 12-byte Finished message. The bytes are processed without waiting for the remaining 8 bytes of the message, and the handshake fails because the bytes don't match the expectations.

It does not usually happen with JSSE peers which pack one message per datagram, but may happen with other implementations that pack multiple messages to the same datagram up to a configured size.

To reproduce easily, use the attached dtls_repro patch to patch the DTLSOverDatagram jtreg test, then run that test.

Disabling stateless session resumption and/or changing the client certificate size may work around the issue.
Comments
Fix request [17u,21u] I backport this for parity with 17.0.18-oracle,21.0.10-oracle. Low risk, simple change. Clean backport. Test passes and reproduces the issue. SAP nightly testing passed.
18-10-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk17u-dev/pull/4068 Date: 2025-10-17 10:43:14 +0000
17-10-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk21u-dev/pull/2352 Date: 2025-10-17 10:43:07 +0000
17-10-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk25u/pull/275 Date: 2025-10-07 11:12:59 +0000
07-10-2025
[jdk25u-fix-request] I would like to have the fix in jdk25u as well because the issue is present there too. The backport is clean.
07-10-2025
Changeset: 80cb0ead Branch: master Author: Daniel JeliƄski <djelinski@openjdk.org> Date: 2025-09-25 18:17:19 +0000 URL: https://git.openjdk.org/jdk/commit/80cb0ead502ae439660f2a3bbab42df4da39d9d6
25-09-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk/pull/27284 Date: 2025-09-15 06:49:06 +0000
15-09-2025