8274736: Concurrent read/close of SSLSockets causes SSLSessions to be invalidated unnecessarily by vieiro · Pull Request #799 · openjdk/jdk8u-dev

vieiro · 2026-05-19T16:02:12Z

Backport of JDK-8274736 from JDK11 that solves a race condition in SSLSocketImpl. It also changes different fields and methods from private to protected in SSLSocketTemplate.java , paving the way for future use and abuse of SSLSocketTemplate (e.g., for 2026-07 required backports).

Not a clean backport, since JDK8 directory structure is different from upper versions, but patch is clean otherwise when compared to the original commit.

Tested on RHEL-8 (gcc 8.5.0) with jdk/test/sun/security/ssl/ tests: 110 tests passed, five others failed/errored but seem unrelated to this backport.

--------------------------------------------------
Test results: passed: 110; failed: 1; error: 4

- sun/security/ssl/SSLSocketImpl/ClientTimeout.java                       Error. Test ignored: need further evaluation
- sun/security/ssl/SSLSocketImpl/NonAutoClose.java                        Error. Test ignored: this test does not work any more as the TLS spec changes the behaviors of close_notify
- sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java                       Error. Use -nativepath to specify the location of native code
- sun/security/ssl/SSLSocketImpl/SetClientMode.java                       Error. Test ignored: this test does not grant to work. The handshake may have completed when getSession() return. Please update or remove this test case.
- sun/security/ssl/X509KeyManager/PreferredKey.java                       Failed. Execution failed: `main' threw exception: java.lang.Exception: Failed to get the preferable key aliases

The newly introduced test also passed:

jdk/test/sun/security/ssl/SSLSessionImpl/NoInvalidateSocketException.java
TEST RESULT: Passed. Execution successful
--------------------------------------------------
Test results: passed: 1

I confirm that I make this contribution in accordance with the OpenJDK Interim AI Policy.

Progress

Change must not contain extraneous whitespace
Commit message must refer to an issue
Change must be properly reviewed (2 reviews required, with at least 2 Reviewers)
JDK-8274736 needs maintainer approval

Issue

JDK-8274736: Concurrent read/close of SSLSockets causes SSLSessions to be invalidated unnecessarily (Bug - P3 - Approved)

Reviewers

Paul Hohensee (@phohensee - Reviewer)
Andrew John Hughes (@gnu-andrew - Reviewer)
Severin Gehwolf (@jerboaa - Reviewer)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk8u-dev.git pull/799/head:pull/799
$ git checkout pull/799

Update a local copy of the PR:
$ git checkout pull/799
$ git pull https://git.openjdk.org/jdk8u-dev.git pull/799/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 799

View PR using the GUI difftool:
$ git pr show -t 799

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk8u-dev/pull/799.diff

Using Webrev

Link to Webrev Comment

bridgekeeper · 2026-05-19T16:04:13Z

👋 Welcome back avieiro! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

openjdk · 2026-05-19T16:06:37Z

@vieiro This change now passes all automated pre-integration checks.

After integration, the commit message for the final commit will be:

8274736: Concurrent read/close of SSLSockets causes SSLSessions to be invalidated unnecessarily

Reviewed-by: phh, andrew, sgehwolf

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 1 new commit pushed to the master branch:

d887a86: 8321489: Update LCMS to 2.16

Please see this link for an up-to-date comparison between the source branch of this pull request and the master branch.
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

As you do not have Committer status in this project an existing Committer must agree to sponsor your change. Possible candidates are the reviewers of this PR (@phohensee, @gnu-andrew, @jerboaa) but any other Committer may sponsor as well.

➡️ To flag this PR as ready for integration with the above commit message, type /integrate in a new comment. (Afterwards, your sponsor types /sponsor in a new comment to perform the integration).

openjdk · 2026-05-19T16:06:53Z

This backport pull request has now been updated with issue from the original commit.

mlbridge · 2026-05-19T16:11:22Z

Webrevs

00: Full (074b8137)

openjdk · 2026-05-19T16:57:14Z

⚠️ @vieiro This change is now ready for you to apply for maintainer approval. This can be done directly in each associated issue or by using the /approval command.

vieiro · 2026-05-19T16:59:35Z

/approval request Please consider approving this backport from JDK11 that improves SSLSocketTemplate.java allowing it to be inherited in future backports of SSL security related tests.

jerboaa · 2026-05-19T17:03:17Z

This one needs a follow-up: https://bugs.openjdk.org/browse/JDK-8280158

openjdk · 2026-05-19T17:38:57Z

@vieiro
8274736: The approval request has been created successfully.

gnu-andrew · 2026-05-20T06:55:12Z

/reviewers 2 reviewer

openjdk · 2026-05-20T06:58:18Z

@gnu-andrew
The total number of required reviews for this PR (including the jcheck configuration and the last /reviewers command) is now set to 2 (with at least 2 Reviewers).

gnu-andrew

Patch confirmed clean.

What do the test results look like on an unpatched JDK? Do you see the same failures?

vieiro · 2026-05-20T07:24:41Z

Patch confirmed clean.

What do the test results look like on an unpatched JDK? Do you see the same failures?

Yes, running tests on master (RHEL-8, gcc 8.5.0) gives the sames results:

Test results: passed: 109; failed: 1; error: 4

With:

$ grep Failed JTreport/text/summary.txt 
sun/security/ssl/SSLEngineImpl/SSLEngineFailedALPN.java                 Passed. Execution successful
sun/security/ssl/X509KeyManager/PreferredKey.java                       Failed. Execution failed: `main' threw exception: java.lang.Exception: Failed to get the preferable key aliases

And:

$ grep Error JTreport/text/summary.txt 
sun/security/ssl/SSLSocketImpl/ClientTimeout.java                       Error. Test ignored: need further evaluation
sun/security/ssl/SSLSocketImpl/NonAutoClose.java                        Error. Test ignored: this test does not work any more as the TLS spec changes the behaviors of close_notify.
sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java                       Error. Use -nativepath to specify the location of native code
sun/security/ssl/SSLSocketImpl/SetClientMode.java                       Error. Test ignored: this test does not grant to work. The handshake may have completed when getSession() return. Please update or remove this test case.

vieiro · 2026-05-20T10:23:49Z

This one needs a follow-up: https://bugs.openjdk.org/browse/JDK-8280158

Backport at #802

jerboaa

Seems OK to me.

gnu-andrew

Thanks for confirming no regressions.

gnu-andrew · 2026-05-23T16:57:35Z

/approve yes

openjdk · 2026-05-23T16:57:55Z

@gnu-andrew
8274736: The approval request has been approved.

Backport ec89f1b6c317932e937291f43e68d04ff77204b8

074b813

openjdk Bot changed the title ~~Backport ec89f1b6c317932e937291f43e68d04ff77204b8~~ 8274736: Concurrent read/close of SSLSockets causes SSLSessions to be invalidated unnecessarily May 19, 2026

openjdk Bot added backport Port of a pull request already in a different code base rfr Pull request is ready for review labels May 19, 2026

phohensee approved these changes May 19, 2026

View reviewed changes

openjdk Bot added the approval Requires approval; will be removed when approval is received label May 19, 2026

gnu-andrew suggested changes May 20, 2026

View reviewed changes

vieiro mentioned this pull request May 20, 2026

8280158: New test from JDK-8274736 failed with/without patch in JDK11u #802

Open

5 tasks

jerboaa approved these changes May 21, 2026

View reviewed changes

gnu-andrew approved these changes May 23, 2026

View reviewed changes

openjdk Bot added ready Pull request is ready to be integrated and removed approval Requires approval; will be removed when approval is received labels May 23, 2026

Conversation

vieiro commented May 19, 2026 • edited by openjdk Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Progress

Issue

Reviewers

Reviewing

Uh oh!

bridgekeeper Bot commented May 19, 2026

Uh oh!

openjdk Bot commented May 19, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

openjdk Bot commented May 19, 2026

Uh oh!

mlbridge Bot commented May 19, 2026

Webrevs

Uh oh!

openjdk Bot commented May 19, 2026

Uh oh!

vieiro commented May 19, 2026

Uh oh!

jerboaa commented May 19, 2026

Uh oh!

openjdk Bot commented May 19, 2026

Uh oh!

gnu-andrew commented May 20, 2026

Uh oh!

openjdk Bot commented May 20, 2026

Uh oh!

gnu-andrew left a comment

Choose a reason for hiding this comment

Uh oh!

vieiro commented May 20, 2026

Uh oh!

vieiro commented May 20, 2026

Uh oh!

jerboaa left a comment

Choose a reason for hiding this comment

Uh oh!

gnu-andrew left a comment

Choose a reason for hiding this comment

Uh oh!

gnu-andrew commented May 23, 2026

Uh oh!

openjdk Bot commented May 23, 2026

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

4 participants

vieiro commented May 19, 2026 •

edited by openjdk Bot

Loading

openjdk Bot commented May 19, 2026 •

edited

Loading