8274736: Concurrent read/close of SSLSockets causes SSLSessions to be invalidated unnecessarily

[vieiro]

Backport of JDK-8274736 from JDK11 that solves a race condition in SSLSocketImpl. It also changes different fields and methods from private to protected in SSLSocketTemplate.java , paving the way for future use and abuse of SSLSocketTemplate (e.g., for 2026-07 required backports).

Not a clean backport, since JDK8 directory structure is different from upper versions, but patch is clean otherwise when compared to the original commit.

Tested on RHEL-8 (gcc 8.5.0) with jdk/test/sun/security/ssl/ tests: 110 tests passed, five others failed/errored but seem unrelated to this backport.

--------------------------------------------------
Test results: passed: 110; failed: 1; error: 4

- sun/security/ssl/SSLSocketImpl/ClientTimeout.java                       Error. Test ignored: need further evaluation
- sun/security/ssl/SSLSocketImpl/NonAutoClose.java                        Error. Test ignored: this test does not work any more as the TLS spec changes the behaviors of close_notify
- sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java                       Error. Use -nativepath to specify the location of native code
- sun/security/ssl/SSLSocketImpl/SetClientMode.java                       Error. Test ignored: this test does not grant to work. The handshake may have completed when getSession() return. Please update or remove this test case.
- sun/security/ssl/X509KeyManager/PreferredKey.java                       Failed. Execution failed: `main' threw exception: java.lang.Exception: Failed to get the preferable key aliases

The newly introduced test also passed:

jdk/test/sun/security/ssl/SSLSessionImpl/NoInvalidateSocketException.java
TEST RESULT: Passed. Execution successful
--------------------------------------------------
Test results: passed: 1

---

• I confirm that I make this contribution in accordance with the OpenJDK Interim AI Policy.

---

Progress

• Change must not contain extraneous whitespace
• Commit message must refer to an issue
• Change must be properly reviewed (2 reviews required, with at least 2 Reviewers)
• JDK-8274736 needs maintainer approval

Issue

• JDK-8274736: Concurrent read/close of SSLSockets causes SSLSessions to be invalidated unnecessarily (Bug - P3 - Requested)

Reviewers

• Paul Hohensee (@phohensee - Reviewer)
• Severin Gehwolf (@jerboaa - Reviewer)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk8u-dev.git pull/799/head:pull/799
$ git checkout pull/799

Update a local copy of the PR:
$ git checkout pull/799
$ git pull https://git.openjdk.org/jdk8u-dev.git pull/799/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 799

View PR using the GUI difftool:
$ git pr show -t 799

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk8u-dev/pull/799.diff

Using Webrev

Link to Webrev Comment

[bridgekeeper]

👋 Welcome back avieiro! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

❗ This change is not yet ready to be integrated.
See the Progress checklist in the description for automated requirements.

[openjdk]

This backport pull request has now been updated with issue from the original commit.

[mlbridge]

Webrevs

• 00: Full (074b8137)

[openjdk]

⚠️ @vieiro This change is now ready for you to apply for maintainer approval. This can be done directly in each associated issue or by using the /approval command.

[vieiro]

/approval request Please consider approving this backport from JDK11 that improves SSLSocketTemplate.java allowing it to be inherited in future backports of SSL security related tests.

[jerboaa]

This one needs a follow-up: https://bugs.openjdk.org/browse/JDK-8280158

[openjdk]

@vieiro
8274736: The approval request has been created successfully.

[gnu-andrew]

/reviewers 2 reviewer

[openjdk]

@gnu-andrew
The total number of required reviews for this PR (including the jcheck configuration and the last /reviewers command) is now set to 2 (with at least 2 Reviewers).

[gnu-andrew]

Patch confirmed clean.

What do the test results look like on an unpatched JDK? Do you see the same failures?

[vieiro]

Patch confirmed clean.

What do the test results look like on an unpatched JDK? Do you see the same failures?

Yes, running tests on master (RHEL-8, gcc 8.5.0) gives the sames results:

Test results: passed: 109; failed: 1; error: 4

With:

$ grep Failed JTreport/text/summary.txt 
sun/security/ssl/SSLEngineImpl/SSLEngineFailedALPN.java                 Passed. Execution successful
sun/security/ssl/X509KeyManager/PreferredKey.java                       Failed. Execution failed: `main' threw exception: java.lang.Exception: Failed to get the preferable key aliases

And:

$ grep Error JTreport/text/summary.txt 
sun/security/ssl/SSLSocketImpl/ClientTimeout.java                       Error. Test ignored: need further evaluation
sun/security/ssl/SSLSocketImpl/NonAutoClose.java                        Error. Test ignored: this test does not work any more as the TLS spec changes the behaviors of close_notify.
sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java                       Error. Use -nativepath to specify the location of native code
sun/security/ssl/SSLSocketImpl/SetClientMode.java                       Error. Test ignored: this test does not grant to work. The handshake may have completed when getSession() return. Please update or remove this test case.

[vieiro]

This one needs a follow-up: https://bugs.openjdk.org/browse/JDK-8280158

Backport at #802

[jerboaa]

Seems OK to me.