SSLEngine improper close invalidates session
bechler at agno3.eu
Sun Apr 24 19:21:04 UTC 2016
Debugging a session resumption issue I found that SSLEngine.closeInbound
will always invalidate the TLS session if no close_notify alert has been
This behavior is no longer mandated by the TLS specification (RFC 5246
This message notifies the recipient that the sender will not send
any more messages on this connection. Note that as of TLS 1.1,
failure to properly close a connection no longer requires that a
session not be resumed. This is a change from TLS 1.0 to conform
with widespread implementation practice.
and there are a couple of broken clients around that do not send
close_notify at all (e.g. the Microsoft ones) so the current behavior
will cause failed resumptions/full handshakes for these clients.
Any thoughts on this?
More information about the security-dev