diff -r d50a7783fe02 -r 31afdc0e77af jdk/src/java.base/share/classes/sun/security/ssl/Handshaker.java
--- a/jdk/src/java.base/share/classes/sun/security/ssl/Handshaker.java	Wed Jan 21 12:49:53 2015 +0100
+++ b/jdk/src/java.base/share/classes/sun/security/ssl/Handshaker.java	Tue Aug 26 17:09:05 2014 -0700
@@ -95,8 +95,6 @@
     Collection<SignatureAndHashAlgorithm> peerSupportedSignAlgs;
 
     /*
-
-    /*
      * List of active protocols
      *
      * Active protocols is a subset of enabled protocols, and will
@@ -114,10 +112,8 @@
     private CipherSuiteList    activeCipherSuites;
 
     // The server name indication and matchers
-    List<SNIServerName>         serverNames =
-                                    Collections.<SNIServerName>emptyList();
-    Collection<SNIMatcher>      sniMatchers =
-                                    Collections.<SNIMatcher>emptyList();
+    List<SNIServerName> serverNames = Collections.<SNIServerName>emptyList();
+    Collection<SNIMatcher> sniMatchers = Collections.<SNIMatcher>emptyList();
 
     private boolean             isClient;
     private boolean             needCertVerify;
@@ -139,12 +135,16 @@
     // current key exchange. Never null, initially K_NULL
     KeyExchange         keyExchange;
 
-    /* True if this session is being resumed (fast handshake) */
+    // True if this session is being resumed (fast handshake)
     boolean             resumingSession;
 
-    /* True if it's OK to start a new SSL session */
+    // True if it's OK to start a new SSL session
     boolean             enableNewSession;
 
+    // True if session keys have been calculated and the caller may receive
+    // and process a ChangeCipherSpec message
+    private boolean sessKeysCalculated;
+
     // Whether local cipher suites preference should be honored during
     // handshaking?
     //
@@ -253,6 +253,7 @@
         this.serverVerifyData = serverVerifyData;
         enableNewSession = true;
         invalidated = false;
+        sessKeysCalculated = false;
 
         setCipherSuite(CipherSuite.C_NULL);
         setEnabledProtocols(enabledProtocols);
@@ -1081,7 +1082,6 @@
         calculateConnectionKeys(master);
     }
 
-
     /*
      * Calculate the master secret from its various components.  This is
      * used for key exchange by all cipher suites.
@@ -1226,6 +1226,10 @@
             throw new ProviderException(e);
         }
 
+        // Mark a flag that allows outside entities (like SSLSocket/SSLEngine)
+        // determine if a ChangeCipherSpec message could be processed.
+        sessKeysCalculated = true;
+
         //
         // Dump the connection keys as they're generated.
         //
@@ -1280,6 +1284,15 @@
         }
     }
 
+    /**
+     * Return whether or not the Handshaker has derived session keys for
+     * this handshake.  This is used for determining readiness to process
+     * an incoming ChangeCipherSpec message.
+     */
+    boolean sessionKeysCalculated() {
+        return sessKeysCalculated;
+    }
+
     private static void printHex(HexDumpEncoder dump, byte[] bytes) {
         if (bytes == null) {
             System.out.println("(key bytes not available)");