SSLEngine improper close invalidates session

Moritz Bechler bechler at
Sun Apr 24 19:21:04 UTC 2016


Debugging a session resumption issue I found that SSLEngine.closeInbound
will always invalidate the TLS session if no close_notify alert has been

This behavior is no longer mandated by the TLS specification (RFC 5246

      This message notifies the recipient that the sender will not send
      any more messages on this connection.  Note that as of TLS 1.1,
      failure to properly close a connection no longer requires that a
      session not be resumed.  This is a change from TLS 1.0 to conform
      with widespread implementation practice.

and there are a couple of broken clients around that do not send
close_notify at all (e.g. the Microsoft ones) so the current behavior
will cause failed resumptions/full handshakes for these clients.

Any thoughts on this?



More information about the security-dev mailing list