java protocol_error ai_generated true

javax.net.ssl.SSLException: closing inbound before receiving peer's close_notify

ID: java/ssl-exception-closed-ssl-socket

Also available as: JSON · Markdown · 中文
85%Fix Rate
88%Confidence
1Evidence
2023-08-15First Seen

Version Compatibility

VersionStatusIntroducedDeprecatedNotes
Java 8 active
Java 11 active
Java 17 active
Java 21 active

Root Cause

The SSL/TLS connection is being closed by the client or server without exchanging the proper close_notify alert, violating the TLS protocol specification.

generic

中文

SSL/TLS 连接在未交换正确的 close_notify 警报的情况下被客户端或服务器关闭,违反了 TLS 协议规范。

Official Documentation

https://docs.oracle.com/en/java/javase/17/docs/api/java.base/javax/net/ssl/SSLException.html

Workarounds

  1. 85% success Add system property -Djdk.tls.acknowledgeCloseNotify=true to allow graceful handling of missing close_notify messages. 
    Add system property -Djdk.tls.acknowledgeCloseNotify=true to allow graceful handling of missing close_notify messages.
  2. 90% success Ensure the server sends a proper close_notify alert before closing the socket. In Java, use SSLSocket.close() which automatically sends close_notify, not Socket.close(). 
    Ensure the server sends a proper close_notify alert before closing the socket. In Java, use SSLSocket.close() which automatically sends close_notify, not Socket.close().
  3. 75% success Catch the SSLException in the client code and treat it as a normal connection termination without retrying. 
    Catch the SSLException in the client code and treat it as a normal connection termination without retrying.

中文步骤

  1. Add system property -Djdk.tls.acknowledgeCloseNotify=true to allow graceful handling of missing close_notify messages.
  2. Ensure the server sends a proper close_notify alert before closing the socket. In Java, use SSLSocket.close() which automatically sends close_notify, not Socket.close().
  3. Catch the SSLException in the client code and treat it as a normal connection termination without retrying.

Dead Ends

Common approaches that don't work:

  1. Set javax.net.ssl.trustStore system property to a custom truststore 90% fail

    This error is not related to truststore configuration; changing trust stores does not affect TLS close_notify handshake behavior.

  2. Increase SSL socket timeout using setSoTimeout() 85% fail

    Timeout settings do not control TLS shutdown behavior; the error occurs even with ample timeouts.

  3. Disable SSL verification entirely with a custom TrustManager 95% fail

    Disabling verification bypasses certificate checks but does not fix the protocol-level close_notify violation.