wolfSSL · cconlon · Mar 18, 2026 · Mar 2, 2026 · Mar 9, 2026 · Mar 9, 2026
diff --git a/native/com_wolfssl_WolfSSLSession.c b/native/com_wolfssl_WolfSSLSession.c
@@ -2761,11 +2761,11 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLSession_sendHrrCookie
 JNIEXPORT jlong JNICALL Java_com_wolfssl_WolfSSLSession_getDtlsMacDropCount
   (JNIEnv* jenv, jobject jcl, jlong sslPtr)
 {
+    word32 dropCount = 0;
+
     (void)jenv;
     (void)jcl;
     (void)sslPtr;
-
-    word32 dropCount = 0;
 #if defined(WOLFSSL_DTLS) && defined(WOLFSSL_DTLS_DROP_STATS)
     int ret = 0;
     WOLFSSL* ssl = (WOLFSSL*)(uintptr_t)sslPtr;
@@ -2782,11 +2782,11 @@ JNIEXPORT jlong JNICALL Java_com_wolfssl_WolfSSLSession_getDtlsMacDropCount
 JNIEXPORT jlong JNICALL Java_com_wolfssl_WolfSSLSession_getDtlsReplayDropCount
   (JNIEnv* jenv, jobject jcl, jlong sslPtr)
 {
+    word32 dropCount = 0;
+
     (void)jenv;
     (void)jcl;
     (void)sslPtr;
-
-    word32 dropCount = 0;
 #if defined(WOLFSSL_DTLS) && defined(WOLFSSL_DTLS_DROP_STATS)
     int ret = 0;
     WOLFSSL* ssl = (WOLFSSL*)(uintptr_t)sslPtr;

diff --git a/src/java/com/wolfssl/WolfSSLCertManager.java b/src/java/com/wolfssl/WolfSSLCertManager.java
@@ -179,7 +179,8 @@ public synchronized int CertManagerLoadCAKeyStore(KeyStore ks)
                     cert = (X509Certificate) ks.getCertificate(name);
                 }
 
-                if (cert != null && cert.getBasicConstraints() >= 0) {
+                if (cert != null && (cert.getBasicConstraints() >= 0 ||
+                        WolfSSL.trustPeerCertEnabled())) {
                     ret = CertManagerLoadCABuffer(cert.getEncoded(),
                             cert.getEncoded().length,
                             WolfSSL.SSL_FILETYPE_ASN1);

diff --git a/src/java/com/wolfssl/provider/jsse/WolfSSLAuthStore.java b/src/java/com/wolfssl/provider/jsse/WolfSSLAuthStore.java
@@ -331,8 +331,9 @@ protected WolfSSLImplementSSLSession getSession(
             return null;
         }
 
-        /* Return new session if in server mode, or if host is null */
-        if (!clientMode || host == null) {
+        /* Unknown port (-1) is a valid SSLEngine host hint.
+         * Skip cache keying. */
+        if (!clientMode || host == null || port < 0) {
             return this.getSession(ssl, clientMode, host, port);
         }
 
@@ -693,9 +694,15 @@ protected int addSession(WolfSSLImplementSSLSession session) {
     }
 
     /**
-     * Internal function to return a list of all session ID's
+     * Internal function to return a list of valid session IDs.
+     *
+     * Expired sessions should already have been invalidated before this call
+     * via updateTimeouts(), but callers may also invalidate sessions for
+     * other reasons. Filter validity here so callers can avoid an extra
+     * per-ID lookup.
+     *
      * @param side server or client side to get list of ID's from
-     * @return enumerated session IDs
+     * @return enumerated valid session IDs
      */
     protected Enumeration<byte[]> getAllIDs(int side) {
         List<byte[]> ret = new ArrayList<>();
@@ -704,7 +711,7 @@ protected Enumeration<byte[]> getAllIDs(int side) {
             for (Object obj : store.values()) {
                 WolfSSLImplementSSLSession current =
                     (WolfSSLImplementSSLSession)obj;
-                if (current.getSide() == side) {
+                if (current.getSide() == side && current.isValid()) {
                     ret.add(current.getId());
                 }
             }
@@ -758,14 +765,24 @@ protected void updateTimeouts(int in, int side) {
                     diff = (now - current.creation.getTime()) / 1000;
 
                     if (diff < 0) {
-                    /* session is from the future ... */ //@TODO
+                    /* session is from the future ... */ /* TODO */
 
                     }
 
-                    if (in > 0 && diff > in) {
+                    if (in > 0 && diff >= in) {
+                        current.invalidate();
+                    }
+                    try {
+                        current.setNativeTimeout(in);
+                    } catch (IllegalStateException e) {
+                        /* Native WolfSSLSession has been freed,
+                         * invalidate this session entry */
+                        WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+                            () -> "Native session freed while updating " +
+                                "timeout, invalidating cache entry: " +
+                                e.getMessage());
                         current.invalidate();
                     }
-                    current.setNativeTimeout(in);
                 }
             }
         }
@@ -803,4 +820,3 @@ protected synchronized void finalize() throws Throwable {
         super.finalize();
     }
 }
-
diff --git a/src/java/com/wolfssl/provider/jsse/WolfSSLContext.java b/src/java/com/wolfssl/provider/jsse/WolfSSLContext.java
@@ -488,7 +488,7 @@ protected SSLEngine engineCreateSSLEngine()
         try {
             return new WolfSSLEngine(this.ctx, this.authStore, this.params);
         } catch (WolfSSLException ex) {
-            throw new IllegalStateException("Unable to create engine");
+            throw new IllegalStateException("Unable to create engine", ex);
         }
     }
 
@@ -516,7 +516,7 @@ protected SSLEngine engineCreateSSLEngine(String host, int port)
             return new WolfSSLEngine(this.ctx, this.authStore, this.params,
                 host, port);
         } catch (WolfSSLException ex) {
-            throw new IllegalStateException("Unable to create engine");
+            throw new IllegalStateException("Unable to create engine", ex);
         }
     }