IBM Support

IJ05598: ADDED TLS SESSION HASH AND EXTENDED MASTER SECRET EXTENSION SUPPORT

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR status

  • Closed as program error.

Error description

  • Error Message: N/A
    .
    Stack Trace: N/A
    .
    

Local fix

Problem summary

  • Support has been added for the TLS session hash and extended
    master secret extension (RFC 7627) in the IBMJSSEProvider2
    provider.
    

Problem conclusion

  • Note that in general, server certificate change is restricted if
    endpoint identification is not enabled and the previous
    handshake is a session-resumption abbreviated initial handshake,
    unless the identities represented by both certificates can be
    regarded as the same. However, if the extension is enabled or
    negotiated, the server certificate changing restriction is not
    necessary and will be discarded accordingly. In case of
    compatibility issues, an application may disable negotiation of
    this extension by setting the System Property
    jdk.tls.useExtendedMasterSecret to false in the JDK. By setting
    the System Property jdk.tls.allowLegacyResumption to false, an
    application can reject abbreviated handshaking when the session
    hash and extended master secret extension is not negotiated. By
    setting the System Property jdk.tls.allowLegacyMasterSecret to
    false, an application can reject connections that do not support
    the session hash and extended master secret extension.
    .
    This APAR will be fixed in the following Java Releases:
       8    SR5 FP10  (8.0.5.10)
       7    SR10 FP20 (7.0.10.20)
       7 R1 SR4 FP20  (7.1.4.20)
    .
    Contact your IBM Product's Service Team for these Service
    Refreshes and Fix Packs.
    For those running stand-alone, information about the available
    Service Refreshes and Fix Packs can be found at:
               https://www.ibm.com/developerworks/java/jdk/
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ05598

  • Reported component name

    SECURITY

  • Reported component ID

    620700125

  • Reported release

    270

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-04-09

  • Closed date

    2018-04-17

  • Last modified date

    2018-04-17

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    SECURITY

  • Fixed component ID

    620700125

Applicable component levels



Document information

More support for: Runtimes for Java Technology
Security

Software version: 270

Reference #: IJ05598

Modified date: 17 April 2018