Skip to main content

IV02633: SSLSESSIONS ARE NOT BEING RESUMED


Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Component: IBM JSSE2


Envt: 6.0 SR7

Description:

The Server using SSLEngine sends an encrypted close_notify
alert.  If the peer does not respond with its close_notify, then
a fatal alert of javax.net.ssl.SSLException: Inbound closed
before receiving peer's close_notify: possible truncation
attack? is sent.  This causes the SSLSession to be invalidated
and therefore the SSLSession cannot be resumed.

JVMs affected:

5.0, 6.0 and 6.26

Local fix

  • Level 3 to update

Problem summary

  • Description:  The Server using SSLEngine sends an encrypted
close_notify alert.  If the peer does not respond with its
close_notify, then a fatal alert of javax.net.ssl.SSLException:
Inbound closed before receiving peer's close_notify: possible
truncation attack? is sent.  This causes the SSLSession to be
invalidated and therefore the SSLSession cannot be resumed.


4488 WebContainer : 5, called closeInbound()
4489 [27.06.11 13:15:58:906 CEST] 0000006d SystemOut     O
WebContainer : 5, fatal error: 80: Inbound closed before
receiving peer's close_notify: possible truncation attack?
4490 javax.net.ssl.SSLException: Inbound closed before receiving
peer's close_notify: possible truncation attack?

Problem conclusion

  • Since RFC 2246 is vague regarding whether the initiator of the
close notify needs to wait for the peer to send its
close_notify, SSLEngine will ignore if it has not received a
close notify and will just close the inbound connection without
throwing an exception.  This will allow SSLSessions to be
resumed.

IBMJSSEProvider2.jar dated 20110628  -  5.0 SR13, 6.0 sr10
IBMJSSEProvider2.jar dated 20110629 - 5.0 sr13 and 6.26 sr1

Hursley Defect 182421
Austin Defect 112172

Temporary fix

  •  
    • 
  
 
  
Comments
 
  
     
   
  •  
    • 
  
 
  
APAR Information
 
  
 
   
     
    
  • APAR number
    IV02633
    •  
    
  • Reported component name
    JAVA SECURE SOC
    •  
    
  • Reported component ID
    TIVSECJSS
    •  
    
  • Reported release
    100
    •  
    
  • Status
    CLOSED PER
    •  
    
  • PE
    NoPE
    •  
    
  • HIPER
    NoHIPER
    •  
    
  • Special Attention
    NoSpecatt
    •  
    
  • Submitted date
    2011-06-28
    •  
    
  • Closed date
    2011-06-29
    •  
    
  • Last modified date
    2011-06-29
    •  
   
 
  
 
  
     
   
  • APAR is sysrouted FROM one or more of the following:
     
    •  
   
  • APAR is sysrouted TO one or more of the following:
     
    •  
  
 
  
Fix information
 
  
     
   
  • Fixed component name
    JAVA SECURE SOC
    •  
   
  • Fixed component ID
    TIVSECJSS
    •  
  
 
  
Applicable component levels
 
  
     
   
  • R100 PSY
       UP
    •  
  
 
 
 

 









Rate this page:



(0 users)Average rating 





















	
	
	
	
	









	



























Copyright and trademark information



	
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide.  Other product and service names might be trademarks of IBM or other companies.  A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.































Rate this page:






(0 users)Average rating









Add comments














Document information





	
Tivoli Components - Java Security


	
JSSE


	




	
Software version:

	100

	





	
Reference #:

IV02633






Modified date:

2011-06-29








Translate my page














































 



Content navigation