Improve Robustness for TLS 1.3 #46734
Open
+65
−3
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
/azp run java - cosmos - tests |
|
Azure Pipelines will not run the associated pipelines, because the pull request was updated after the run command was issued. Review the pull request again and issue a new run command. |
…to tvaron3/tls1.3fix # Conflicts: # sdk/cosmos/azure-cosmos/CHANGELOG.md
|
/azp run java - cosmos - tests |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run java - cosmos - tests |
|
Azure Pipelines successfully started running 1 pipeline(s). |
There was a problem hiding this comment.
Pull Request Overview
This PR improves robustness for TLS 1.3 connections by preventing duplicate handler exceptions when multiple handshake completion events are emitted by Netty.
- Added a defensive check to prevent adding IdleStateHandler multiple times when multiple SSL handshake completion events occur
- Included test coverage for the SSL implementation behavior
- Updated test configuration to force JDK SSL implementation instead of OpenSSL
Reviewed Changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| sdk/cosmos/live-platform-matrix.json | Added test configuration to disable OpenSSL and force JDK SSL implementation |
| sdk/cosmos/azure-cosmos/src/main/java/com/azure/cosmos/implementation/directconnectivity/rntbd/RntbdRequestManager.java | Added null check to prevent duplicate IdleStateHandler additions during SSL handshake completion |
| sdk/cosmos/azure-cosmos/CHANGELOG.md | Updated changelog to document the SSL handshake resilience improvement |
| sdk/cosmos/azure-cosmos-tests/src/test/java/com/azure/cosmos/implementation/directconnectivity/rntbd/RntbdRequestManagerTests.java | Added unit test to verify IdleStateHandler is only added once despite multiple SSL handshake completion events |
.../main/java/com/azure/cosmos/implementation/directconnectivity/rntbd/RntbdRequestManager.java
Show resolved
Hide resolved
.../java/com/azure/cosmos/implementation/directconnectivity/rntbd/RntbdRequestManagerTests.java
Show resolved
Hide resolved
.../java/com/azure/cosmos/implementation/directconnectivity/rntbd/RntbdRequestManagerTests.java
Show resolved
Hide resolved
|
/azp run java - cosmos - tests |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run java - cosmos - tests |
|
Azure Pipelines successfully started running 1 pipeline(s). |
xinlian12
reviewed
Sep 19, 2025
xinlian12
reviewed
Sep 19, 2025
…to tvaron3/tls1.3fix # Conflicts: # sdk/cosmos/azure-cosmos/CHANGELOG.md
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
It is possible that in tls 1.3 with certain netty dependencies that the SDK will get a duplicate handler exception because multiple handshake completion events are emitted by netty. This pr improves the resilience of the sdk in this scenario by only adding a handler once regardless of the amount of completion events emitted. It also adds some test coverage for the ssl implementation from the jdk.