SSLEngine improper close invalidates session

Moritz Bechler bechler at agno3.eu
Sun Apr 24 19:21:04 UTC 2016


Hi,

Debugging a session resumption issue I found that SSLEngine.closeInbound
will always invalidate the TLS session if no close_notify alert has been
received.

This behavior is no longer mandated by the TLS specification (RFC 5246
7.2.1):

   close_notify
      This message notifies the recipient that the sender will not send
      any more messages on this connection.  Note that as of TLS 1.1,
      failure to properly close a connection no longer requires that a
      session not be resumed.  This is a change from TLS 1.0 to conform
      with widespread implementation practice.

and there are a couple of broken clients around that do not send
close_notify at all (e.g. the Microsoft ones) so the current behavior
will cause failed resumptions/full handshakes for these clients.

Any thoughts on this?


regards

Moritz


More information about the security-dev mailing list