Como detectar um fim do fluxo corretamente, quando a criptografia TLS PSK é usada?

eu prepareium caso de teste do cliente TLS PSK simples baseado emMockPSKTlsClient por Bouncy Castle.

Nomain método que eu chamo:

public static void main(String[] args) throws IOException {
    SecureRandom random      = new SecureRandom();
    TlsPSKIdentity identity  = new BasicTlsPSKIdentity("Client_identity", Hex.decode("1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A"));
    Socket socket            = new Socket(InetAddress.getLocalHost(), 12345);
    TlsClientProtocol proto  = new TlsClientProtocol(socket.getInputStream(), socket.getOutputStream(), random);
    MockPSKTlsClient client  = new MockPSKTlsClient(null, identity);

    OutputStream clearOs = proto.getOutputStream();
    InputStream clearIs = proto.getInputStream();
    clearOs.write("GET / HTTP/1.1\r\n\r\n".getBytes("UTF-8"));
    Streams.pipeAll(clearIs, System.out);   // why is thrown?

Como você pode ver, eu envio umGET / HTTP/1.1 string para o servidor openssl, que é iniciado como:

# openssl s_server \
        -psk 1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A \
        -psk_hint Client_identity\
        -cipher PSK-AES256-CBC-SHA \
        -debug -state -nocert -accept 12345 -tls1_2 -www

Depois disso eu ligoStreams.pipeAll () método, que é apenas:

public static void pipeAll(InputStream inStr, OutputStream outStr)
    throws IOException
    byte[] bs = new byte[BUFFER_SIZE];
    int numRead;
    while ((numRead =, 0, bs.length)) >= 0) // Why is EOFException thrown?
        outStr.write(bs, 0, numRead);

Isso copiaopenssl s_server responder à tela e também surpreendentemente lança umEOFException no fim:

TLS-PSK client negotiated TLS 1.2
Established session: 68e647e3276f345e82effdb7cc04649f6872d245ae01489c08ed109c5906dd16
HTTP/1.0 200 ok
Content-type: text/html

<HTML><BODY BGCOLOR="#ffffff">

s_server -psk 1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A -psk_hint Client_identity -cipher PSK-AES256-CBC-SHA -debug -state -nocert -accept 12345 -tls1_2 -www 
Secure Renegotiation IS supported
Ciphers supported in s_server binary
Ciphers common between both SSL end points:
New, TLSv1/SSLv3, Cipher is PSK-AES256-CBC-SHA
    Protocol  : TLSv1.2
    Cipher    : PSK-AES256-CBC-SHA
    Session-ID: 68E647E3276F345E82EFFDB7CC04649F6872D245AE01489C08ED109C5906DD16
    Session-ID-ctx: 01000000
    Master-Key: B023F1053230C2938E1D3FD6D73FEB41DEC3FC1068A390FE6DCFD60A6ED666CA2AD0CD1DAD504A087BE322DD2C870C0C
    Key-Arg   : None
    PSK identity: Client_identity
    PSK identity hint: Client_identity
    SRP username: None
    Start Time: 1479312253
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
  13 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
  14 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
  13 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)
no client certificate available

TLS-PSK client raised alert: fatal(2), internal_error(80)
> Failed to read record
    at org.bouncycastle.crypto.tls.TlsProtocol.safeReadRecord(Unknown Source)
    at org.bouncycastle.crypto.tls.TlsProtocol.readApplicationData(Unknown Source)
    at Source)
    at de.afarber.tlspskclient2.Main.pipeAll(
    at de.afarber.tlspskclient2.Main.main(
Exception in thread "main" Internal TLS error, this could be an attack
    at org.bouncycastle.crypto.tls.TlsProtocol.failWithError(Unknown Source)
    at org.bouncycastle.crypto.tls.TlsProtocol.safeReadRecord(Unknown Source)
    at org.bouncycastle.crypto.tls.TlsProtocol.readApplicationData(Unknown Source)
    at Source)
    at de.afarber.tlspskclient2.Main.pipeAll(
    at de.afarber.tlspskclient2.Main.main(

Minha pergunta é: por que éEOFException jogado? deve retornar -1 no final do fluxo e não lançar uma exceção.

Como detectar um fim do fluxo corretamente, quando a criptografia TLS PSK é usada?

A longo prazo, gostaria de estender meu caso de teste a um programa que atue como proxy PSK TLS reverso na frente do Jetty incorporado - e preferiria não confiar em exceções para detectar que o cliente terminou de ler ou escrever.

