Fixes are available
6.1.0.7: WebSphere Application Server V6.1 Fix Pack 7 for Solaris
6.1.0.7: WebSphere Application Server V6.1 Fix Pack 7 for HP-UX
6.1.0.7: WebSphere Application Server V6.1 Fix Pack 7 for Linux
6.1.0.5: WebSphere Application Server V6.1.0 Fix Pack 5 for Linux
6.1.0.7: WebSphere Application Server V6.1 Fix Pack 7 for Windows
6.1.0.7 WebSphere Application Server V6.1 Fix Pack 7 for AIX
6.1.0.5: WebSphere Application Server V6.1.0 Fix Pack 5 for AIX
6.1.0.5: WebSphere Application Server V6.1.0 Fix Pack 5 for i5/OS
6.1.0.7: WebSphere Application Server V6.1 Fix Pack 7 for i5/OS
6.1.0.5: WebSphere Application Server V6.1.0 Fix Pack 5 for HP-UX
6.1.0.5: WebSphere Application Server V6.1.0 Fix Pack 5 for Windows
Java SDK 1.5 SR8 Cumulative Fix for WebSphere Application Server
Java SDK 1.5 SR8 Cumulative Fix for WebSphere Application Server
Java SDK 1.5 SR10 Cumulative Fix for WebSphere Application Server
6.1.0.31: Java SDK 1.5 SR11 FP1 Cumulative Fix for WebSphere Application Server
6.1.0.33: Java SDK 1.5 SR12 FP1 Cumulative Fix for WebSphere
6.1.0.29: Java SDK 1.5 SR11 Cumulative Fix for WebSphere Application Server
6.1.0.35: Java SDK 1.5 SR12 FP2 Cumulative Fix for WebSphere
6.1.0.37: Java SDK 1.5 SR12 FP3 Cumulative Fix for WebSphere
6.1.0.39: Java SDK 1.5 SR12 FP4 Cumulative Fix for WebSphere Application Server
6.1.0.41: Java SDK 1.5 SR12 FP5 Cumulative Fix for WebSphere Application Server
6.1.0.43: Java SDK 1.5 SR13 Cumulative Fix for WebSphere Application Server
6.1.0.45: Java SDK 1.5 SR14 Cumulative Fix for WebSphere Application Server
6.1.0.47: WebSphere Application Server V6.1 Fix Pack 47
6.1.0.47: Java SDK 1.5 SR16 Cumulative Fix for WebSphere Application Server
6.1.0.5: WebSphere Application Server V6.1.0 Fix Pack 5 for Solaris
6.1.0.9: WebSphere Application Server V6.1 Fix Pack 9 for Solaris
APAR status
Closed as program error.
Error description
The first byte of an encrypted SSL packet is skipped and when the decryption attempt is started on byte #2, it fails with "Unsupported record version" error as seen in the following exception: javax.net.ssl.SSLException: javax.net.ssl.SSLException: Unsupported record version Unknown 79.151 at com.ibm.jsse2.bf.a(Unknown Source) at com.ibm.jsse2.bf.unwrap(Unknown Source) at com.ibm.ws.ssl.channel.impl.SSLReadServiceContext.decryptMessage (SSLReadServiceContext.java:1233) at com.ibm.ws.ssl.channel.impl.SSLReadServiceContext.read(SSLReadSe rviceContext.java(Compiled Code))...............................
Local fix
N/A
Problem summary
**************************************************************** * USERS AFFECTED: WebSphere Application Server version 6 * * users of the SSL channel. * **************************************************************** * PROBLEM DESCRIPTION: While reading large amounts of data on * * the SSL connection, in this case a big * * HTTP response, the decryption will * * fail with an SSLException. * **************************************************************** * RECOMMENDATION: * **************************************************************** If the SSL connection has encrypted data available from a previous read, but these bytes are not enough to decrypt, and then a read is requested for the exact same number of bytes then the failure is seen. In the customer environment, this was seen when it had 1 byte of encrypted data and the HTTP channel started a read for 1 or more bytes of decrypted data. This resulted in the SSL channel doing a read of zero bytes and then the next request by the HTTP channel meant that the SSL channel skipped over that 1 byte encrypted data and started the next decryption request on byte number 2, thus getting the SSLException "Unsupported record version" error.
Problem conclusion
The key behavior is when the 0 byte read happens, then the SSLException will happen on the next decryption request. The SSL channel has been updated to never allow the 0 byte read along this path and always require at least 1 byte. This will mean that it always reads and tries to decrypt until successfull instead of the 0 byte read skipping out of the logic early. The fix for this APAR is currently targeted for inclusion in fixpacks 6.0.2.19 and 6.1.0.5. Please refer to the recommended updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PK32916
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
60S
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2006-10-13
Closed date
2006-10-18
Last modified date
2006-10-18
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
SSLCHAN
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R60A PSY
UP
R60H PSY
UP
R60I PSY
UP
R60P PSY
UP
R60S PSY
UP
R60W PSY
UP
R60Z PSY
UP
R61A PSY
UP
R61H PSY
UP
R61I PSY
UP
R61P PSY
UP
R61S PSY
UP
R61W PSY
UP
R61Z PSY
UP
Document Information
Modified date:
29 December 2021