8261289: Incorrect cleanup in LDAP TLS handling

[jaikiran]

Can I please get a review of this change which proposes to address the issue noted in https://bugs.openjdk.org/browse/JDK-8261289?

The JDK's implementation of the LdapContext allows for the LDAPv3 Extended Response for StartTLS. LdapContext.extendedOperation(new StartTlsRequest()) can be invoked by an application to obtain a StartTlsResponse which can then be used to StartTlsResponse.negotiate() a TLS session. A successful TLS negotiation will result in the underlying LDAP connection's input/output streams being switched to TLS specific streams. Any subsequent communication over the LDAP context will happen over these TLS streams, until the StartTlsResponse.close() is called.

One part of TLS negotiation involves certificate verification. In the JDK's implementation of StartTlsResponse, if the certificate verification fails (for whatever reason) after the LDAP connection's streams have been switched to TLS specific streams, then these streams must be switched back to the original streams that were present before the TLS negotiation was attempted. However, due to a bug, this currently doesn't happen and after a failed TLS negotiation, subsequent communication over the LDAP connection (which is allowed) continues to use these TLS streams.

The commit in this PR addresses that issue in the implementation of StartTlsResponse. Minor related clean up is done to that implementation to properly handle exceptions. A new jtreg test has been introduced to reproduce the issue and verify the fix.

tier1, tier2, tier3 tests continue to pass with this change.

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• Commit message must refer to an issue

Issue

• JDK-8261289: Incorrect cleanup in LDAP TLS handling (Bug - P4)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/30547/head:pull/30547
$ git checkout pull/30547

Update a local copy of the PR:
$ git checkout pull/30547
$ git pull https://git.openjdk.org/jdk.git pull/30547/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 30547

View PR using the GUI difftool:
$ git pr show -t 30547

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/30547.diff

Using Webrev

Link to Webrev Comment

[bridgekeeper]

👋 Welcome back jpai! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

❗ This change is not yet ready to be integrated.
See the Progress checklist in the description for automated requirements.

[openjdk]

@jaikiran The following label will be automatically applied to this pull request:

• core-libs

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

[mlbridge]

Webrevs

• 00: Full (07312ad8)