openjdk · jaikiran · Mar 27, 2026
diff --git a/src/java.naming/share/classes/com/sun/jndi/ldap/ext/StartTlsResponseImpl.java b/src/java.naming/share/classes/com/sun/jndi/ldap/ext/StartTlsResponseImpl.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2026, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -29,7 +29,6 @@
 import java.io.OutputStream;
 import java.io.IOException;
 
-import java.security.Principal;
 import java.security.cert.X509Certificate;
 import java.security.cert.CertificateException;
 
@@ -64,11 +63,6 @@ public final class StartTlsResponseImpl extends StartTlsResponse {
 
     private static final boolean debug = false;
 
-    /*
-     * The dNSName type in a subjectAltName extension of an X.509 certificate
-     */
-    private static final int DNSNAME_TYPE = 2;
-
     /*
      * The server's hostname.
      */
@@ -111,9 +105,9 @@ public final class StartTlsResponseImpl extends StartTlsResponse {
     private transient HostnameVerifier verifier = null;
 
     /*
-     * The flag to indicate that the TLS connection is closed.
+     * The flag to indicate that close() was invoked
      */
-    private transient boolean isClosed = true;
+    private transient boolean closed;
 
     private static final long serialVersionUID = -1126624615143411328L;
 
@@ -133,6 +127,7 @@ public StartTlsResponseImpl() {}
      * enable.
      * @see #negotiate
      */
+    @Override
     public void setEnabledCipherSuites(String[] suites) {
         // The impl does accept null suites, although the spec requires
         // a non-null list.
@@ -150,6 +145,7 @@ public void setEnabledCipherSuites(String[] suites) {
      * @param verifier The non-null hostname verifier callback.
      * @see #negotiate
      */
+    @Override
     public void setHostnameVerifier(HostnameVerifier verifier) {
         this.verifier = verifier;
     }
@@ -165,6 +161,7 @@ public void setHostnameVerifier(HostnameVerifier verifier) {
      * @see #setEnabledCipherSuites
      * @see #setHostnameVerifier
      */
+    @Override
     public SSLSession negotiate() throws IOException {
 
         return negotiate(null);
@@ -200,9 +197,10 @@ public SSLSession negotiate() throws IOException {
      * @see #setEnabledCipherSuites
      * @see #setHostnameVerifier
      */
+    @Override
     public SSLSession negotiate(SSLSocketFactory factory) throws IOException {
 
-        if (isClosed && sslSocket != null) {
+        if (closed) {
             throw new IOException("TLS connection is closed.");
         }
 
@@ -223,7 +221,6 @@ public SSLSession negotiate(SSLSocketFactory factory) throws IOException {
         SSLPeerUnverifiedException verifExcep = null;
         try {
             if (verify(hostname, sslSession)) {
-                isClosed = false;
                 return sslSession;
             }
         } catch (SSLPeerUnverifiedException e) {
@@ -232,18 +229,18 @@ public SSLSession negotiate(SSLSocketFactory factory) throws IOException {
         }
         if ((verifier != null) &&
                 verifier.verify(hostname, sslSession)) {
-            isClosed = false;
             return sslSession;
         }
-
         // Verification failed
-        close();
-        sslSession.invalidate();
         if (verifExcep == null) {
-            verifExcep = new SSLPeerUnverifiedException(
-                        "hostname of the server '" + hostname +
-                        "' does not match the hostname in the " +
-                        "server's certificate.");
+            verifExcep = new SSLPeerUnverifiedException("hostname of the server '"
+                    + hostname + "' does not match the hostname in the server's certificate.");
+        }
+        sslSession.invalidate();
+        try {
+            close();
+        } catch (IOException ioe) {
+            verifExcep.addSuppressed(ioe);
         }
         throw verifExcep;
     }
@@ -255,15 +252,13 @@ public SSLSession negotiate(SSLSocketFactory factory) throws IOException {
      * @throws IOException If an IO error was encountered while closing the
      * TLS connection
      */
+    @Override
     public void close() throws IOException {
-
-        if (isClosed) {
+        if (closed) {
             return;
         }
-
         if (debug) {
-            System.out.println("StartTLS: replacing SSL " +
-                                "streams with originals");
+            System.out.println("StartTLS: closing");
         }
 
         // Replace SSL streams with the original streams
@@ -273,9 +268,13 @@ public void close() throws IOException {
         if (debug) {
             System.out.println("StartTLS: closing SSL Socket");
         }
-        sslSocket.close();
-
-        isClosed = true;
+        try {
+            if (sslSocket != null) {
+                sslSocket.close();
+            }
+        } finally {
+            closed = true;
+        }
     }
 
     /**
@@ -298,9 +297,8 @@ public void setConnection(Connection ldapConnection, String hostname) {
      * Returns the default SSL socket factory.
      *
      * @return The default SSL socket factory.
-     * @throws IOException If TLS is not supported.
      */
-    private SSLSocketFactory getDefaultFactory() throws IOException {
+    private SSLSocketFactory getDefaultFactory() {
 
         if (defaultFactory != null) {
             return defaultFactory;
@@ -370,9 +368,13 @@ private SSLSocket startHandshake(SSLSocketFactory factory)
                 System.out.println("StartTLS: Got IO error during handshake");
                 e.printStackTrace();
             }
-
-            sslSocket.close();
-            isClosed = true;
+            try {
+                close();
+            } catch (IOException ioe) {
+                if (e != ioe) {
+                    e.addSuppressed(ioe);
+                }
+            }
             throw e;   // pass up exception
         }
 
@@ -441,20 +443,4 @@ private boolean verify(String hostname, SSLSession session)
                                 "server's certificate.", e);
         }
     }
-
-    /*
-     * Get the peer principal from the session
-     */
-    private static Principal getPeerPrincipal(SSLSession session)
-            throws SSLPeerUnverifiedException {
-        Principal principal;
-        try {
-            principal = session.getPeerPrincipal();
-        } catch (AbstractMethodError e) {
-            // if the JSSE provider does not support it, return null, since
-            // we need it only for Kerberos.
-            principal = null;
-        }
-        return principal;
-    }
 }