On Thu, 24 Oct 2024 07:08:46 GMT, Xue-Lei Andrew Fan <xue...@openjdk.org> wrote:
> > > > Does it happen in server side (server send plaintext) as well? I found > > > > some cases that the client decryption failed. > > > > > > > > > Current reports indicate it happens on the server side only (server > > > throws the exception). Please share any cases when it happens on the > > > client side. This PR has a check to handle this scenario on the server > > > side only. > > > > > > Here is a stack trace: > > ``` > > javax.net.ssl.SSLHandshakeException: Insufficient buffer remaining for AEAD > > cipher fragment (2). Needs to be more than tag size (16) > > at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) > > at > > java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:378) > > at > > java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321) > > at > > java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:316) > > at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:134) > > at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1510) > > at > > java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1425) > > at > > java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455) > > at > > java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426) > > at > > java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:576) > > at > > java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:187) > > at > > java.base/sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1458) > > at > > java.base/sun.net.www.protocol.http.HttpURLConnection$8.run(HttpURLConnection.java:1421) > > at > > java.base/sun.net.www.protocol.http.HttpURLConnection$8.run(HttpURLConnection.java:1419) > > at > > java.base/java.security.AccessController.doPrivileged(AccessController.java:712) > > at > > java.base/java.security.AccessController.doPrivilegedWithCombiner(AccessController.java:962) > > at > > java.base/sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1418) > > at > > java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:220) > > ``` > > Please consider this case for the exception message. Otherwise, a follow up > update may be required to re-word it. We don't know why it happens on the client side, so there is no additional information to provide. The goal is to help users to debug this situation so we provide the only possible cause we know about. So we state one reason why it `can` happen, that's not necessarily the reason why it always happens: https://mail.openjdk.org/pipermail/security-dev/2024-May/039423.html When additional details are known about the client case we'll update the message. ------------- PR Comment: https://git.openjdk.org/jdk/pull/21043#issuecomment-2435633871
