BCJSSE: Single shared map of session bindings across session lifetime

peterdettman · peterdettman · commit c40346055324 · 2025-08-08T19:05:24.000+07:00
- see #2136
diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLEngine.java b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLEngine.java
@@ -57,6 +57,7 @@ class ProvSSLEngine
     protected TlsProtocol protocol = null;
     protected ProvTlsPeer protocolPeer = null;
     protected ProvSSLConnection connection = null;
+    protected ProvSSLSession dummySession = null;
     protected ProvSSLSessionHandshake handshakeSession = null;
 
     protected SSLException deferredException = null;
@@ -225,7 +226,12 @@ public synchronized BCApplicationProtocolSelector<SSLEngine> getBCHandshakeAppli
         return sslParameters.getEngineAPSelector();
     }
 
-    public synchronized BCExtendedSSLSession getBCHandshakeSession()
+    public BCExtendedSSLSession getBCHandshakeSession()
+    {
+        return getBCHandshakeSessionImpl();
+    }
+
+    public synchronized ProvSSLSessionHandshake getBCHandshakeSessionImpl()
     {
         return handshakeSession;
     }
@@ -703,7 +709,7 @@ public synchronized void notifyHandshakeSession(ProvSSLSessionContext sslSession
         if (null != resumedSession)
         {
             this.handshakeSession = new ProvSSLSessionResumed(sslSessionContext, peerHost, peerPort, securityParameters,
-                jsseSecurityParameters, resumedSession.getTlsSession(), resumedSession.getJsseSessionParameters());
+                jsseSecurityParameters, resumedSession);
         }
         else
         {
@@ -717,9 +723,19 @@ public synchronized String selectApplicationProtocol(List<String> protocols)
         return sslParameters.getEngineAPSelector().select(this, protocols);
     }
 
-    ProvSSLSession getSessionImpl()
+    synchronized ProvSSLSession getSessionImpl()
     {
-        return null == connection ? ProvSSLSession.NULL_SESSION : connection.getSession();
+        if (connection != null)
+        {
+            return connection.getSession();
+        }
+
+        if (dummySession == null)
+        {
+            dummySession = ProvSSLSession.createDummySession();
+        }
+
+        return dummySession;
     }
 
     private RecordPreview getRecordPreview(ByteBuffer src)
diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSession.java b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSession.java
@@ -1,6 +1,7 @@
 package org.bouncycastle.jsse.provider;
 
 import java.util.List;
+import java.util.concurrent.ConcurrentHashMap;
 
 import org.bouncycastle.jsse.BCSNIServerName;
 import org.bouncycastle.tls.CipherSuite;
@@ -11,19 +12,14 @@
 class ProvSSLSession
     extends ProvSSLSessionBase
 {
-    // TODO[jsse] Ensure this behaves according to the javadoc for SSLSocket.getSession and SSLEngine.getSession
-    // TODO[jsse] This would make more sense as a ProvSSLSessionHandshake
-    static final ProvSSLSession NULL_SESSION = new ProvSSLSession(null, null, -1, null,
-        new JsseSessionParameters(null, null));
-
     protected final TlsSession tlsSession;
     protected final SessionParameters sessionParameters;
     protected final JsseSessionParameters jsseSessionParameters;
 
-    ProvSSLSession(ProvSSLSessionContext sslSessionContext, String peerHost, int peerPort, TlsSession tlsSession,
-        JsseSessionParameters jsseSessionParameters)
+    ProvSSLSession(ProvSSLSessionContext sslSessionContext, ConcurrentHashMap<String, Object> valueMap, String peerHost,
+        int peerPort, TlsSession tlsSession, JsseSessionParameters jsseSessionParameters)
     {
-        super(sslSessionContext, peerHost, peerPort);
+        super(sslSessionContext, valueMap, peerHost, peerPort);
 
         this.tlsSession = tlsSession;
         this.sessionParameters = tlsSession == null ? null : tlsSession.exportSessionParameters();
@@ -110,4 +106,10 @@ public boolean isValid()
     {
         return super.isValid() && null != tlsSession && tlsSession.isResumable();
     }
+
+    static final ProvSSLSession createDummySession()
+    {
+        // NB: Allow session value binding on failed connections for SunJSSE compatibility 
+        return new ProvSSLSession(null, createValueMap(), null, -1, null, new JsseSessionParameters(null, null));
+    }
 }
diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSessionBase.java b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSessionBase.java
@@ -25,9 +25,8 @@
 abstract class ProvSSLSessionBase
     extends BCExtendedSSLSession
 {
-    protected final ConcurrentHashMap<String, Object> valueMap = new ConcurrentHashMap<String, Object>();
-
     protected final AtomicReference<ProvSSLSessionContext> sslSessionContext;
+    protected final ConcurrentHashMap<String, Object> valueMap;
     protected final boolean fipsMode;
     protected final JcaTlsCrypto crypto;
     protected final String peerHost;
@@ -36,9 +35,11 @@ abstract class ProvSSLSessionBase
     protected final SSLSession exportSSLSession;
     protected final AtomicLong lastAccessedTime;
 
-    ProvSSLSessionBase(ProvSSLSessionContext sslSessionContext, String peerHost, int peerPort)
+    ProvSSLSessionBase(ProvSSLSessionContext sslSessionContext, ConcurrentHashMap<String, Object> valueMap,
+        String peerHost, int peerPort)
     {
         this.sslSessionContext = new AtomicReference<ProvSSLSessionContext>(sslSessionContext);
+        this.valueMap = valueMap;
         this.fipsMode = (null == sslSessionContext) ? false : sslSessionContext.getContextData().isFipsMode();
         this.crypto = (null == sslSessionContext) ? null : sslSessionContext.getContextData().getCrypto();
         this.peerHost = peerHost;
@@ -243,6 +244,11 @@ public Object getValue(String name)
         return valueMap.get(name);
     }
 
+    ConcurrentHashMap<String, Object> getValueMap()
+    {
+        return valueMap;
+    }
+
     public String[] getValueNames()
     {
         return valueMap.keySet().toArray(new String[0]);
@@ -351,4 +357,9 @@ private void implInvalidate(boolean removeFromSessionContext)
 
         invalidateTLS();
     }
+
+    protected static ConcurrentHashMap<String, Object> createValueMap()
+    {
+        return new ConcurrentHashMap<String, Object>();
+    }
 }
diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSessionContext.java b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSessionContext.java
@@ -89,14 +89,15 @@ synchronized void removeSession(byte[] sessionID)
         }
     }
 
-    synchronized ProvSSLSession reportSession(String peerHost, int peerPort, TlsSession tlsSession,
-        JsseSessionParameters jsseSessionParameters, boolean addToCache)
+    synchronized ProvSSLSession reportSession(ProvSSLSessionHandshake handshakeSession, String peerHost, int peerPort,
+        TlsSession tlsSession, JsseSessionParameters jsseSessionParameters, boolean addToCache)
     {
         processQueue();
 
         if (!addToCache)
         {
-            return new ProvSSLSession(this, peerHost, peerPort, tlsSession, jsseSessionParameters);
+            return new ProvSSLSession(this, handshakeSession.getValueMap(), peerHost, peerPort, tlsSession,
+                jsseSessionParameters);
         }
 
         SessionID sessionID = makeSessionID(tlsSession.getSessionID());
@@ -105,7 +106,8 @@ synchronized ProvSSLSession reportSession(String peerHost, int peerPort, TlsSess
         ProvSSLSession session = sessionEntry == null ? null : sessionEntry.get();
         if (null == session || session.getTlsSession() != tlsSession)
         {
-            session = new ProvSSLSession(this, peerHost, peerPort, tlsSession, jsseSessionParameters);
+            session = new ProvSSLSession(this, handshakeSession.getValueMap(), peerHost, peerPort, tlsSession,
+                jsseSessionParameters);
 
             if (null != sessionID)
             {
diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSessionHandshake.java b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSessionHandshake.java
@@ -4,6 +4,7 @@
 import java.util.Collections;
 import java.util.List;
 import java.util.Vector;
+import java.util.concurrent.ConcurrentHashMap;
 
 import org.bouncycastle.jsse.BCSNIServerName;
 import org.bouncycastle.tls.ProtocolVersion;
@@ -19,7 +20,14 @@ class ProvSSLSessionHandshake
     ProvSSLSessionHandshake(ProvSSLSessionContext sslSessionContext, String peerHost, int peerPort,
         SecurityParameters securityParameters, JsseSecurityParameters jsseSecurityParameters)
     {
-        super(sslSessionContext, peerHost, peerPort);
+        this(sslSessionContext, createValueMap(), peerHost, peerPort, securityParameters, jsseSecurityParameters);
+    }
+
+    protected ProvSSLSessionHandshake(ProvSSLSessionContext sslSessionContext,
+        ConcurrentHashMap<String, Object> valueMap, String peerHost, int peerPort,
+        SecurityParameters securityParameters, JsseSecurityParameters jsseSecurityParameters)
+    {
+        super(sslSessionContext, valueMap, peerHost, peerPort);
 
         this.securityParameters = securityParameters;
         this.jsseSecurityParameters = jsseSecurityParameters;
diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSessionResumed.java b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSessionResumed.java
@@ -13,14 +13,15 @@ class ProvSSLSessionResumed
     protected final JsseSessionParameters jsseSessionParameters;
 
     ProvSSLSessionResumed(ProvSSLSessionContext sslSessionContext, String peerHost, int peerPort,
-        SecurityParameters securityParameters, JsseSecurityParameters jsseSecurityParameters, TlsSession tlsSession,
-        JsseSessionParameters jsseSessionParameters)
+        SecurityParameters securityParameters, JsseSecurityParameters jsseSecurityParameters,
+        ProvSSLSession resumedSession)
     {
-        super(sslSessionContext, peerHost, peerPort, securityParameters, jsseSecurityParameters);
+        super(sslSessionContext, resumedSession.getValueMap(), peerHost, peerPort, securityParameters,
+            jsseSecurityParameters);
 
-        this.tlsSession = tlsSession;
+        this.tlsSession = resumedSession.getTlsSession();
         this.sessionParameters = tlsSession.exportSessionParameters();
-        this.jsseSessionParameters = jsseSessionParameters;
+        this.jsseSessionParameters = resumedSession.getJsseSessionParameters();
     }
 
     @Override
diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSocketDirect.java b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSocketDirect.java
@@ -51,6 +51,7 @@ class ProvSSLSocketDirect
     protected TlsProtocol protocol = null;
     protected ProvTlsPeer protocolPeer = null;
     protected ProvSSLConnection connection = null;
+    protected ProvSSLSession dummySession = null;
     protected ProvSSLSessionHandshake handshakeSession = null;
 
     /** This constructor is the one used (only) by ProvSSLServerSocket */
@@ -183,7 +184,12 @@ public synchronized BCApplicationProtocolSelector<SSLSocket> getBCHandshakeAppli
         return sslParameters.getSocketAPSelector();
     }
 
-    public synchronized BCExtendedSSLSession getBCHandshakeSession()
+    public BCExtendedSSLSession getBCHandshakeSession()
+    {
+        return getBCHandshakeSessionImpl();
+    }
+
+    public synchronized ProvSSLSessionHandshake getBCHandshakeSessionImpl()
     {
         return handshakeSession;
     }
@@ -490,7 +496,7 @@ public synchronized void notifyHandshakeSession(ProvSSLSessionContext sslSession
         if (null != resumedSession)
         {
             this.handshakeSession = new ProvSSLSessionResumed(sslSessionContext, peerHost, peerPort, securityParameters,
-                jsseSecurityParameters, resumedSession.getTlsSession(), resumedSession.getJsseSessionParameters());
+                jsseSecurityParameters, resumedSession);
         }
         else
         {
@@ -508,7 +514,17 @@ synchronized ProvSSLSession getSessionImpl()
     {
         getConnection();
 
-        return null == connection ? ProvSSLSession.NULL_SESSION : connection.getSession();
+        if (connection != null)
+        {
+            return connection.getSession();
+        }
+
+        if (dummySession == null)
+        {
+            dummySession = ProvSSLSession.createDummySession();
+        }
+
+        return dummySession;
     }
 
     synchronized void handshakeIfNecessary(boolean resumable) throws IOException
diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSocketWrap.java b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSocketWrap.java
@@ -68,6 +68,7 @@ private static Socket checkSocket(Socket s) throws SocketException
     protected TlsProtocol protocol = null;
     protected ProvTlsPeer protocolPeer = null;
     protected ProvSSLConnection connection = null;
+    protected ProvSSLSession dummySession = null;
     protected ProvSSLSessionHandshake handshakeSession = null;
 
     protected ProvSSLSocketWrap(ContextData contextData, Socket s, InputStream consumed, boolean autoClose)
@@ -188,7 +189,12 @@ public synchronized BCApplicationProtocolSelector<SSLSocket> getBCHandshakeAppli
         return sslParameters.getSocketAPSelector();
     }
 
-    public synchronized BCExtendedSSLSession getBCHandshakeSession()
+    public BCExtendedSSLSession getBCHandshakeSession()
+    {
+        return getBCHandshakeSessionImpl();
+    }
+
+    public synchronized ProvSSLSessionHandshake getBCHandshakeSessionImpl()
     {
         return handshakeSession;
     }
@@ -679,7 +685,7 @@ public synchronized void notifyHandshakeSession(ProvSSLSessionContext sslSession
         if (null != resumedSession)
         {
             this.handshakeSession = new ProvSSLSessionResumed(sslSessionContext, peerHost, peerPort, securityParameters,
-                jsseSecurityParameters, resumedSession.getTlsSession(), resumedSession.getJsseSessionParameters());
+                jsseSecurityParameters, resumedSession);
         }
         else
         {
@@ -697,7 +703,17 @@ synchronized ProvSSLSession getSessionImpl()
     {
         getConnection();
 
-        return null == connection ? ProvSSLSession.NULL_SESSION : connection.getSession();
+        if (connection != null)
+        {
+            return connection.getSession();
+        }
+
+        if (dummySession == null)
+        {
+            dummySession = ProvSSLSession.createDummySession();
+        }
+
+        return dummySession;
     }
 
     synchronized void handshakeIfNecessary(boolean resumable) throws IOException
diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvTlsClient.java b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvTlsClient.java
@@ -530,8 +530,8 @@ public synchronized void notifyHandshakeComplete() throws IOException
             // TODO[tls13] Resumption/PSK
             boolean addToCache = provClientEnableSessionResumption && !TlsUtils.isTLSv13(context);
 
-            this.sslSession = sslSessionContext.reportSession(peerHost, peerPort, connectionTlsSession,
-                jsseSessionParameters, addToCache);
+            this.sslSession = sslSessionContext.reportSession(manager.getBCHandshakeSessionImpl(), peerHost, peerPort,
+                connectionTlsSession, jsseSessionParameters, addToCache);
         }
 
         manager.notifyHandshakeComplete(new ProvSSLConnection(this));
diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvTlsManager.java b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvTlsManager.java
@@ -18,10 +18,12 @@ interface ProvTlsManager
 
     BCX509Key chooseServerKey(String[] keyTypes, Principal[] issuers);
 
-    boolean getEnableSessionCreation();
+    ProvSSLSessionHandshake getBCHandshakeSessionImpl();
 
     ContextData getContextData();
 
+    boolean getEnableSessionCreation();
+
     String getPeerHost();
 
     String getPeerHostSNI();
diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvTlsServer.java b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvTlsServer.java
@@ -909,8 +909,8 @@ public synchronized void notifyHandshakeComplete() throws IOException
             // TODO[tls13] Resumption/PSK
             boolean addToCache = provServerEnableSessionResumption && !TlsUtils.isTLSv13(context);
 
-            this.sslSession = sslSessionContext.reportSession(peerHost, peerPort, connectionTlsSession,
-                jsseSessionParameters, addToCache);
+            this.sslSession = sslSessionContext.reportSession(manager.getBCHandshakeSessionImpl(), peerHost, peerPort,
+                connectionTlsSession, jsseSessionParameters, addToCache);
         }
 
         manager.notifyHandshakeComplete(new ProvSSLConnection(this));

Original file line number	Diff line number	Diff line change
`@@ -57,6 +57,7 @@ class ProvSSLEngine`
`57`	`57`	`protected TlsProtocol protocol = null;`
`58`	`58`	`protected ProvTlsPeer protocolPeer = null;`
`59`	`59`	`protected ProvSSLConnection connection = null;`
	`60`	`+ protected ProvSSLSession dummySession = null;`
`60`	`61`	`protected ProvSSLSessionHandshake handshakeSession = null;`
`61`	`62`
`62`	`63`	`protected SSLException deferredException = null;`
`@@ -225,7 +226,12 @@ public synchronized BCApplicationProtocolSelector<SSLEngine> getBCHandshakeAppli`
`225`	`226`	`return sslParameters.getEngineAPSelector();`
`226`	`227`	`}`
`227`	`228`
`228`		`- public synchronized BCExtendedSSLSession getBCHandshakeSession()`
	`229`	`+ public BCExtendedSSLSession getBCHandshakeSession()`
	`230`	`+ {`
	`231`	`+ return getBCHandshakeSessionImpl();`
	`232`	`+ }`
	`233`	`+`
	`234`	`+ public synchronized ProvSSLSessionHandshake getBCHandshakeSessionImpl()`
`229`	`235`	`{`
`230`	`236`	`return handshakeSession;`
`231`	`237`	`}`
`@@ -703,7 +709,7 @@ public synchronized void notifyHandshakeSession(ProvSSLSessionContext sslSession`
`703`	`709`	`if (null != resumedSession)`
`704`	`710`	`{`
`705`	`711`	`this.handshakeSession = new ProvSSLSessionResumed(sslSessionContext, peerHost, peerPort, securityParameters,`
`706`		`- jsseSecurityParameters, resumedSession.getTlsSession(), resumedSession.getJsseSessionParameters());`
	`712`	`+ jsseSecurityParameters, resumedSession);`
`707`	`713`	`}`
`708`	`714`	`else`
`709`	`715`	`{`
`@@ -717,9 +723,19 @@ public synchronized String selectApplicationProtocol(List<String> protocols)`
`717`	`723`	`return sslParameters.getEngineAPSelector().select(this, protocols);`
`718`	`724`	`}`
`719`	`725`
`720`		`- ProvSSLSession getSessionImpl()`
	`726`	`+ synchronized ProvSSLSession getSessionImpl()`
`721`	`727`	`{`
`722`		`- return null == connection ? ProvSSLSession.NULL_SESSION : connection.getSession();`
	`728`	`+ if (connection != null)`
	`729`	`+ {`
	`730`	`+ return connection.getSession();`
	`731`	`+ }`
	`732`	`+`
	`733`	`+ if (dummySession == null)`
	`734`	`+ {`
	`735`	`+ dummySession = ProvSSLSession.createDummySession();`
	`736`	`+ }`
	`737`	`+`
	`738`	`+ return dummySession;`
`723`	`739`	`}`
`724`	`740`
`725`	`741`	`private RecordPreview getRecordPreview(ByteBuffer src)`
Original file line number	Diff line number	Diff line change
`@@ -89,14 +89,15 @@ synchronized void removeSession(byte[] sessionID)`
`89`	`89`	`}`
`90`	`90`	`}`
`91`	`91`
`92`		`- synchronized ProvSSLSession reportSession(String peerHost, int peerPort, TlsSession tlsSession,`
`93`		`- JsseSessionParameters jsseSessionParameters, boolean addToCache)`
	`92`	`+ synchronized ProvSSLSession reportSession(ProvSSLSessionHandshake handshakeSession, String peerHost, int peerPort,`
	`93`	`+ TlsSession tlsSession, JsseSessionParameters jsseSessionParameters, boolean addToCache)`
`94`	`94`	`{`
`95`	`95`	`processQueue();`
`96`	`96`
`97`	`97`	`if (!addToCache)`
`98`	`98`	`{`
`99`		`- return new ProvSSLSession(this, peerHost, peerPort, tlsSession, jsseSessionParameters);`
	`99`	`+ return new ProvSSLSession(this, handshakeSession.getValueMap(), peerHost, peerPort, tlsSession,`
	`100`	`+ jsseSessionParameters);`
`100`	`101`	`}`
`101`	`102`
`102`	`103`	`SessionID sessionID = makeSessionID(tlsSession.getSessionID());`
`@@ -105,7 +106,8 @@ synchronized ProvSSLSession reportSession(String peerHost, int peerPort, TlsSess`
`105`	`106`	`ProvSSLSession session = sessionEntry == null ? null : sessionEntry.get();`
`106`	`107`	`if (null == session \|\| session.getTlsSession() != tlsSession)`
`107`	`108`	`{`
`108`		`- session = new ProvSSLSession(this, peerHost, peerPort, tlsSession, jsseSessionParameters);`
	`109`	`+ session = new ProvSSLSession(this, handshakeSession.getValueMap(), peerHost, peerPort, tlsSession,`
	`110`	`+ jsseSessionParameters);`
`109`	`111`
`110`	`112`	`if (null != sessionID)`
`111`	`113`	`{`
Original file line number	Diff line number	Diff line change
`@@ -51,6 +51,7 @@ class ProvSSLSocketDirect`
`51`	`51`	`protected TlsProtocol protocol = null;`
`52`	`52`	`protected ProvTlsPeer protocolPeer = null;`
`53`	`53`	`protected ProvSSLConnection connection = null;`
	`54`	`+ protected ProvSSLSession dummySession = null;`
`54`	`55`	`protected ProvSSLSessionHandshake handshakeSession = null;`
`55`	`56`
`56`	`57`	`/** This constructor is the one used (only) by ProvSSLServerSocket */`
`@@ -183,7 +184,12 @@ public synchronized BCApplicationProtocolSelector<SSLSocket> getBCHandshakeAppli`
`183`	`184`	`return sslParameters.getSocketAPSelector();`
`184`	`185`	`}`
`185`	`186`
`186`		`- public synchronized BCExtendedSSLSession getBCHandshakeSession()`
	`187`	`+ public BCExtendedSSLSession getBCHandshakeSession()`
	`188`	`+ {`
	`189`	`+ return getBCHandshakeSessionImpl();`
	`190`	`+ }`
	`191`	`+`
	`192`	`+ public synchronized ProvSSLSessionHandshake getBCHandshakeSessionImpl()`
`187`	`193`	`{`
`188`	`194`	`return handshakeSession;`
`189`	`195`	`}`
`@@ -490,7 +496,7 @@ public synchronized void notifyHandshakeSession(ProvSSLSessionContext sslSession`
`490`	`496`	`if (null != resumedSession)`
`491`	`497`	`{`
`492`	`498`	`this.handshakeSession = new ProvSSLSessionResumed(sslSessionContext, peerHost, peerPort, securityParameters,`
`493`		`- jsseSecurityParameters, resumedSession.getTlsSession(), resumedSession.getJsseSessionParameters());`
	`499`	`+ jsseSecurityParameters, resumedSession);`
`494`	`500`	`}`
`495`	`501`	`else`
`496`	`502`	`{`
`@@ -508,7 +514,17 @@ synchronized ProvSSLSession getSessionImpl()`
`508`	`514`	`{`
`509`	`515`	`getConnection();`
`510`	`516`
`511`		`- return null == connection ? ProvSSLSession.NULL_SESSION : connection.getSession();`
	`517`	`+ if (connection != null)`
	`518`	`+ {`
	`519`	`+ return connection.getSession();`
	`520`	`+ }`
	`521`	`+`
	`522`	`+ if (dummySession == null)`
	`523`	`+ {`
	`524`	`+ dummySession = ProvSSLSession.createDummySession();`
	`525`	`+ }`
	`526`	`+`
	`527`	`+ return dummySession;`
`512`	`528`	`}`
`513`	`529`
`514`	`530`	`synchronized void handshakeIfNecessary(boolean resumable) throws IOException`
Original file line number	Diff line number	Diff line change
`@@ -68,6 +68,7 @@ private static Socket checkSocket(Socket s) throws SocketException`
`68`	`68`	`protected TlsProtocol protocol = null;`
`69`	`69`	`protected ProvTlsPeer protocolPeer = null;`
`70`	`70`	`protected ProvSSLConnection connection = null;`
	`71`	`+ protected ProvSSLSession dummySession = null;`
`71`	`72`	`protected ProvSSLSessionHandshake handshakeSession = null;`
`72`	`73`
`73`	`74`	`protected ProvSSLSocketWrap(ContextData contextData, Socket s, InputStream consumed, boolean autoClose)`
`@@ -188,7 +189,12 @@ public synchronized BCApplicationProtocolSelector<SSLSocket> getBCHandshakeAppli`
`188`	`189`	`return sslParameters.getSocketAPSelector();`
`189`	`190`	`}`
`190`	`191`
`191`		`- public synchronized BCExtendedSSLSession getBCHandshakeSession()`
	`192`	`+ public BCExtendedSSLSession getBCHandshakeSession()`
	`193`	`+ {`
	`194`	`+ return getBCHandshakeSessionImpl();`
	`195`	`+ }`
	`196`	`+`
	`197`	`+ public synchronized ProvSSLSessionHandshake getBCHandshakeSessionImpl()`
`192`	`198`	`{`
`193`	`199`	`return handshakeSession;`
`194`	`200`	`}`
`@@ -679,7 +685,7 @@ public synchronized void notifyHandshakeSession(ProvSSLSessionContext sslSession`
`679`	`685`	`if (null != resumedSession)`
`680`	`686`	`{`
`681`	`687`	`this.handshakeSession = new ProvSSLSessionResumed(sslSessionContext, peerHost, peerPort, securityParameters,`
`682`		`- jsseSecurityParameters, resumedSession.getTlsSession(), resumedSession.getJsseSessionParameters());`
	`688`	`+ jsseSecurityParameters, resumedSession);`
`683`	`689`	`}`
`684`	`690`	`else`
`685`	`691`	`{`
`@@ -697,7 +703,17 @@ synchronized ProvSSLSession getSessionImpl()`
`697`	`703`	`{`
`698`	`704`	`getConnection();`
`699`	`705`
`700`		`- return null == connection ? ProvSSLSession.NULL_SESSION : connection.getSession();`
	`706`	`+ if (connection != null)`
	`707`	`+ {`
	`708`	`+ return connection.getSession();`
	`709`	`+ }`
	`710`	`+`
	`711`	`+ if (dummySession == null)`
	`712`	`+ {`
	`713`	`+ dummySession = ProvSSLSession.createDummySession();`
	`714`	`+ }`
	`715`	`+`
	`716`	`+ return dummySession;`
`701`	`717`	`}`
`702`	`718`
`703`	`719`	`synchronized void handshakeIfNecessary(boolean resumable) throws IOException`
Original file line number	Diff line number	Diff line change
`@@ -530,8 +530,8 @@ public synchronized void notifyHandshakeComplete() throws IOException`
`530`	`530`	`// TODO[tls13] Resumption/PSK`
`531`	`531`	`boolean addToCache = provClientEnableSessionResumption && !TlsUtils.isTLSv13(context);`
`532`	`532`
`533`		`- this.sslSession = sslSessionContext.reportSession(peerHost, peerPort, connectionTlsSession,`
`534`		`- jsseSessionParameters, addToCache);`
	`533`	`+ this.sslSession = sslSessionContext.reportSession(manager.getBCHandshakeSessionImpl(), peerHost, peerPort,`
	`534`	`+ connectionTlsSession, jsseSessionParameters, addToCache);`
`535`	`535`	`}`
`536`	`536`
`537`	`537`	`manager.notifyHandshakeComplete(new ProvSSLConnection(this));`