Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8233619

SSLEngine handshake status immediately after the handshake can be NOT_HANDSHAKING rather than FINISHED with TLSv1.3



      This was originally raised as an issue against Apache Tomcat:

      Reproduction steps with Tomcat (including key stores and Tomcat configuration) are in that report. The summary is:
      - Java 13.0.1+9
      - Tomcat 9 latest release (or latest source)
      - TLSv1.3
      - client authentication required
      - Firefox client in private browsing mode

      Debugging of the TLS handshake in Tomcat (https://github.com/apache/tomcat/blob/master/java/org/apache/tomcat/util/net/SecureNioChannel.java#L169) shows that in private browsing mode the penultimate SSLEngine handshake status is NEED_TASK.
      There is a single task containing 3 entries in the DelegatedAction map.
      The final entry in that Map ends up in T13FinishedConsumer which in turn leads to...
      TransportContext.finishHandshake(). While this method returns HandshakeStatus.FINISHED, the return value is ignored. As soon as that method sets handshakeContext=null, the SSLEngine handshake status is NOT_HANDSHAKING. This breaks Tomcat's TLS handshake code as Tomcat expects the SSLEngine handshake status to be FINISHED.

      When Firefox is used in non-private browsing mode the penultimate SSLEngine handshake status is NEED_WRAP which becomes FINISHED after the write.


        1. tls-debug-failed
          36 kB
        2. tls-debug-working
          36 kB
        3. tomcat1_jdk11.0.2b1.log
          36 kB
        4. tomcat1_jdk11.0.2b2.log
          265 kB
        5. tomcat1_jdk11.0.6b4.log
          566 kB
        6. tomcat4_jdk13.0.1_b09.log
          328 kB



            • Assignee:
              xuelei Xue-Lei Fan
              markt Mark Thomas
            • Votes:
              0 Vote for this issue
              6 Start watching this issue


              • Created: