From 6d7110edf5e02c115c73e49a61c2ddcf36dd5009 Mon Sep 17 00:00:00 2001 From: Tim Brooks Date: Tue, 23 Apr 2019 19:43:15 -0600 Subject: [PATCH] SSLDriver can transition to CLOSED in handshake (#41458) TLS 1.3 changes to the SSLEngine introduced a scenario where a UNWRAP call during a handshake can consume a close notify alerty without throwing an exception. This means that we continue down a codepath where we assert that we are still in handshaking mode. Transitioning to closed from handshaking is a valid scenario. This commit removes this assertion. --- .../xpack/security/transport/nio/SSLDriver.java | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/nio/SSLDriver.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/nio/SSLDriver.java index 7314eadf9ec..93978bcc6a3 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/nio/SSLDriver.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/nio/SSLDriver.java @@ -439,8 +439,10 @@ public class SSLDriver implements AutoCloseable { // If the engine is partially closed, immediate transition to close mode. if (currentMode.isHandshake()) { currentMode = new CloseMode(true); - } else { - String message = "Expected to be in handshaking mode. Instead in non-handshaking mode: " + currentMode; + } else if (currentMode.isApplication()) { + // It is possible to be in CLOSED mode if the prior UNWRAP call returned CLOSE_NOTIFY. + // However we should not be in application mode at this point. + String message = "Expected to be in handshaking/closed mode. Instead in application mode."; throw new AssertionError(message); } } else if (hasFlushPending() == false) {